Microsoft Identity and Access Management Series

Platform and Infrastructure

Chapter 6: Operating the Infrastructure

Published: May 11, 2004 | Updated: June 26, 2006

After you have implemented and tested the infrastructure, a number of ongoing operational activities must happen to ensure that the solutions will continued to operate successfully. This chapter, while not extensive, does introduce a few operational considerations for the infrastructure services in this paper.

Infrastructure Services

For more complete information about operational considerations for your identity access management environment, see the Windows Server System Reference Architecture (WSSRA) page.

Directory Services

The Microsoft® Active Directory® directory service is central to all identity and access management solutions that use the Microsoft Platform. Therefore, Active Directory operations are an important part of any procedures that maintain these solutions.

Backing Up Active Directory

Unlike most applications, you can back up Active Directory as part of the system state by using tools such as the Microsoft® Windows Server™ 2003 backup tool. This tool can back up the entire system state while the domain controller is online. Other third-party applications and enterprise backup utilities have the same capability.

You should schedule regular backups for all critical servers, as the backup from one domain controller cannot be used to restore another domain controller in your environment.

Monitoring Active Directory

While backup is a critical operational procedure for the infrastructure, many problems can be identified and resolved before they become serious through actively monitoring Active Directory. Monitoring Active Directory can resolve issues in a timely manner, and users gain the benefit of improved reliability for Active Directory, as well as the services that depend on it, and quicker access times.

There are a number of tasks involved when monitoring Active Directory, including:

•	Verifying that the domain controllers can communicate with the monitoring infrastructure.
•	Reviewing and resolving all new alerts and events on each domain controller.
•	Reviewing Active Directory reports to detect intermittent problems and other issues.
•	Reviewing Active Directory and Microsoft Identity Integration Server 2003, Enterprise Edition, (MIIS 2003) activity to ensure the account information created is correct, and that accounts have not been created outside of the automated processes.

For more information about managing and supporting Active Directory, see the Microsoft Windows Server 2003 Active Directory.

Certificate Services

There are a number of operational issues to consider with any public key infrastructure (PKI), including backup and recovery, auditing and monitoring, and certificate management.

Back up all certification authorities (CA) regularly to ensure that the CA database, CA certificates, and the CA keys are protected. This is particularly important for your CAs, as they are not readily retrievable outside of the backup recovery process.

Microsoft Certificate Services records notable items into the Windows Event log. Review these logs regularly to track CA activity, particularly for issued certificates and changes to the certificate revocation list (CRL).

Take great care with certificate management to ensure that the CRL is accurate and up to date. You should also ensure that user certificates are correctly managed to prevent them from expiring while users are out of the office. In addition, you should ensure that the CA and IIS 6.0 certificates are maintained, up to date, and reissued at regular intervals so that users are not locked out from services they need to access.

For more information about certificate management, see the Windows Server 2003 PKI Operations Guide.

Firewall and Proxy Services

Monitor the Microsoft Internet Security and Acceleration (ISA) server not only for performance issues, but also for security alerts and warnings. An ISA server provides a robust monitoring and management framework, and allows access to activity logs and summary reports. You can also configure an ISA server to issue alerts based on the events that it detects.

As ISA server is a critical security resource. Take a great deal of care when examining its log files. When practical, consider enabling an alert system to notify operators about suspect events.

Other tasks involved in monitoring your ISA server include:

•	Verifying that the ISA server is operating and that its services are enabled.
•	Reviewing and resolving all new alerts and events that the ISA server generates.
•	Reviewing the ISA server logs and reports for security issues and other problems.
•	Using Network Monitor to track network traffic.

For more information about ISA server and ongoing management and support for it, see the Internet Security and Acceleration Server page.

Patch Management

Contoso Pharmaceuticals uses Windows Server Update Services (WSUS) and the Automatic Updates Service, which is included with Windows Server 2003 and Windows® XP Professional. These two services can ensure that all servers and clients in your environment have the latest security and software updates installed.

For more information about WSUS, see Windows Server Update Services.

Top of page

6 of 9

•	Chapter 1: Introduction to the Platform and Infrastructure Paper
•	Chapter 2: Approaches to Choosing a Platform
•	Chapter 3: Issues and Requirements
•	Chapter 4: Designing the Infrastructure
•	Chapter 5: Implementing the Infrastructure
•	Chapter 6: Operating the Infrastructure
•	Appendix A – Configuration Settings for Microsoft Identity and Access Management Series
•	Links
•	Acknowledgements