Install Certificate Services on Windows Server 2008 R2

This post picks up where the last post left off.  In the last post, we created a Windows Server 2008 R2 Active Directory Domain Controller and stopped short of going on to add Certificate Services into the mix.

If you’re not sure if you need certificate services for your environment, it never hurts to have it available.  It does not add much overhead so for development environments and small businesses you can consider adding the role to a DC (domain controller) as we are here.  Certificate Services will allow you to issue certificates to your internal resources, use client/server certificates for authentication, and set up SSL enabled websites.

I believe best practice is, and I’m sure someone will correct me if I’m wrong, to set up an Enterprise Root CA (Certificate Authority), then set up one or more subordinate CA’s.  You can then make your Root CA unavailable for access and have the subordinates handle all of the traffic without fear of compromising your Root CA.  In this tutorial, we’ll just be installing and configuring a Root CA, but the process is basically the same for the subordinates.

Now that you’ve got some background information, onto the installation/configuration of Windows Server 2008 R2 Certificate Services.

In ‘Server Manager’, select Roles in the left pane, then Add Roles in the right pane.  Place a check mark in the checkbox for Active Directory Certificate Services.  Then click Next.

002

Keep reading…

[ad#Google Adsense-1]

On the ‘Introduction to Active Directory Certificate Services’ window, you can read up on the certificate services technology, how to manage a CA, and naming.  Click Next.

On the ‘Select Role Services’ page, make sure Certification Authority is selected, then select Certification Authority Web Enrollment, when the ‘Add Roles Wizard’ window appears click the Add Required Role Services button.  Click Next.

003 004

On the ‘Specify Setup Type’ page, leave Enterprise selected.  Click Next.  On the ‘Specify CA Type’ page, leave Root CA selected and click Next.  On the ‘Set Up Private Key’ page, leave Create a new private key selected and click Next.

On the Configure Cryptography for CA page, you can leave the defaults selected or adjust as necessary for your needs.  You can also pause here and research the providers and hashes as necessary, but for this tutorial and most environments, the default will suffice.  Click Next

005

On the ‘Configure CA Name’ page, set the common name to the same as the server name since this server is a domain controller.  This is an acceptable practice.  Leave the ‘Distinguished name suffix’ alone.  Click Next.

006

[ad#Google Adsense-1]

On the ‘Set Validity Period’ page, feel free to adjust the validity period or leave the default.  This should be adjusted based on your needs.  Click Next.  On the ‘Configure Certificate Database’ page, you can adjust the paths or leave the defaults set.  Click Next.

Next we see the ‘Web Server (IIS)’ page.  You can read the description and check out the links listed on the page if you’d like.  Click Next

007

On the ‘Select Role Services’ page, leave the defaults selected.  Click Next.  On the ‘Confirm Installation Selections’ page, you can review your choices, go back and make changes, or click Install.  After the ‘Installation Progress’ page finishes, you can view your ‘Results’.

008

You’ve now got a domain controller that is capable of issuing certificates to your servers and users.  You can go back through the wizard and install additional CA components, for example, that will allow you to issue certificates to users and computers that are not part of your domain.  That option is called ‘Certificate Enrollment Web Service’.

Advertisements

21 thoughts on “Install Certificate Services on Windows Server 2008 R2”

  1. My root CA and issuing CA are on win 2008 servers. Can I upgrade my servers to 2008 R2 directly, or do I have to backup/remove CA, then upgrade Windows, and then add/restore CA ?

    1. @Gunnar I would always backup the CA before trying to make any infrastructure changes. I’ve never upgraded a server from 2008 to R2, but you shouldn’t have any trouble. I would start with the issuing CA, after backing it up, and attempt the upgrade there. If all works fine, then do the same for the root after backing up. If for some reason the issuing CA gets destroyed (highly unlikely), you can always restore or create a new issuing CA.

  2. hello Clement DeLarge. i having a serious issue regarding
    to SSL connection with my test environment active Directory. i
    follow that article to generate the certificate
    http://www.sslshopper.com/article-installing-an-ssl-certificate-in-windows-server-2008-iis-7.0.html
    but they mention that we need to order send the generated file to
    any certificate authority to create SSL certificate. i just want to
    use this setup for changing user password in active directory so
    can you tell me how i can generate this SSL certificate

  3. sorry forgot to mention that i am on test environment so
    not make any order and spend money to generate a certificate for my
    test server

  4. What do you mean by make the root CA unavailalbe ? Do you mean stand up a subordinate and have it check in with the root and then disable the service on the Root CA ?

  5. I have a question for you regarding windows 2008 server and setting up a network. I have windows 2008 R2 server set up on and ESXi server and I want to use it to set up a 4 server domain at home. But I have never done this before so I was wondering what are the basic components I should install?

    I know I need to install the Domain Controller, Active Directory, DNS, DHCP, Print server, and file sharing but I am not sure what else should be installed. I am going to use the server as a domain controller. Do I need to install Active Directory Certificate Services or LDAP or anything else?

    I just want to be sure I set up the network properly.

    Thanks Clement. I appreciate your help.

    1. @Mike, You’ve pretty much named everything that you need to install, and yes, I would install Certificate Services. You may not need it but it never hurts to have it available for you in case you want something. Is there anything specific that you’re planning on doing that might require other services? IE. Remote access gateway or something similar?

  6. Excellent article Clement thanks, I’m about to try this all out in my test lab.

    “To my knowledge to run an Enterprise CA, you can use any version of 2k8. I haven’t confirmed that but I’ve never seen a restriction there.”

    That got me wondering, and from the Windows Server 2008 Active Directory Certificate Services Step-By-Step Guide:

    “Enterprise CAs and Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.”

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17157

  7. Clement, I am trying to set up a working domain in a virtual environment (ESX) similar to what you would see in a business. I have the DC set up with DNS and the Cert server. I have 4 warnings I need to get resolved and then get a few other DNS issues resolved. I have an internal domain name used for DNS but I also have a domain registered with GoDaddy and my router is providing DHCP and DNS. I am trying to figure out what I need to turn off on the router and if I need to tie the external domain to the internal domain. My plan is to have a DC, PDC, file servers, printer serves, WSUS, SCCM, Symantec Anti Virus, Exchange and Backup Exec, posiibly remote access and remote apps using TS WEB so I get learn the server management end of things.

    Before my job was out sourced and I was let go, I spent ten years as an IT Support specialist but the way the department was set up I was not given the opportunity to be involved or learn the Sys admin side of IT and now that I am looking for a new job people prefer someone with experience on both sides of the aisle. So I am trying to gain some experience and knowledge on my own.

    1. @Mike. I totally understand the need. I was originally a developer and in the quest to become more well-rounded and be able to utilize components that are already in place, I began my infrastructure deep dive.

      What you’ll want to do, at least in my opinion, is to disable DHCP on the router and enable it on a DC. When creating your DHCP scope, you will want to point to your DCs for DNS. On your DCs you need to set up DNS forwarding so that requests that are out of your scopes can be returned. These requests can be forwarded to your router’s DNS services, or any well-known public DNS servers (use more than one). I would advise against publishing your internal DNS servers since you’d need to maintain hardening and security, and having your DNS server be compromised can really ruin your network. You can have an internal DNS scope for your external domain as well so that you can use internal IPs for locally routeable requests, and if you run something like TMG, Threat Management Gateway (formerly ISA Server if you’re not familiar with it), you can direct external requests to your internal network as well. Also when creating your DHCP scope, remember to leave a block of IPs that are outside of your DHCP scope for your static IP’d servers. With ISA, you can also manually handle sub-domain requests based on your external domain name and simply point all calls for your external domain to ISA via public DNS, for example: “*.your-domain.com” pointing to your public IP address and routing all of those requests to ISA via port mapping on your router (ie. 80 and 443). ISA can also be used to publish VPN and remote access gateways.

      Are you comfortable with DNS and managing DNS records? Also, if you’re looking for a little more of a challenge, and one that would replicate many production environments, I would advise settings up multiple subnets, one for your client machines, and one for your production servers, and using a software based router like Vyatta (http://www.vyatta.com) which virtualizes very well, to handle network-to-network traffic. Vyatta also has a robust firewall as part of the solutions that it can provide. I have some other articles on this blog for both Vyatta and DNS that you may want to check out if you’re not familiar with either.

      Hope this helps and let me know if you have more questions. It’d be my pleasure to help you get up and running.

  8. Kindly suggest that is its essential to create a CA on Domain Controller .What about Stand alone CA server which connects to DC in the network .

  9. I set up CA on my DC. However I forgot to include Certification Authority Web Enrollment so I will need to go back and install that. Before I tackle DHCP I ran into a number of warnings that I have not been able to find workable solutions for. I did some searches and the solution recommended did not work. Although they are not critical errors I would like to see if I can eleiminate these warnings and mve on using a server that is working properly.

    Any thoughts or solutions to these would be appreciated.

    Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.internalnt.zimboy.com timed out after none of the configured DNS servers responded.
    Source: DNS Client Events
    Event ID: 1014
    _______________________________________________________________________

    The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

    Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
    Source: ActiveDirectory-DomainService
    Event ID: 2886

    _______________________________________________________________________

    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
    Source: DNS-Server_Service
    Event ID: 4013
    _______________________________________________________________________
    The WinRM service failed to create the following SPNs: WSMAN/WIN08SRV1.internalnt.zimboy.com; WSMAN/WIN08SRV1.
    Source: Windows Remote Management
    Event ID: 10154

  10. Mike,

    Try the following for the SPN issue:

    First go to a command prompt and type:

    dsacls “CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=local” /G “S-1-5-20:WS;Validated write to service principal name”

    Where DOMAIN is the name of your domain preceeding the “.” so if your domain name is DOMAIN.LOCAL , use DOMAIN.

    After that, go to the Run Command and type ADSIEDIT.msc and hit Enter.
    Choose “Default naming context” and scroll down to and double click on the “Domain Controllers” OU, right-click the “Domain Controller” object (shoould be something like CN=SERVERNAME) and select properties. Then select the security tab and click the advanced button, in the advanced security settings menu, click add, type Network Service and hit ok (if Network Service isn’t there). If it is there, Highlight it and click edit. At the Object screen that comes up, scroll all the way to the bottom and make sure that Validated write to service princ(iple) is checked. I also uncheck “incluide inheritable permissions …” and when a box comes up, I tell it to Copy.

    Hopefully that will at least get your SPN error resolved for you!

    For your DNS issues, have you created a Reverse Lookup Zone (IP V4)? If not I would try that. The DNS server waiting on Active Directory should just be a transient condition and once the AD is Sync’d it should be OK. The SASL warning is just a warning and is recommended by MS. I am not sure how to get rid of that one yet …

    Cheers,

    Mark

  11. Mark:

    I followed your instructions and my SPN issue has been resolved. However even after creating a reverse lookup zone I am still have the 2 DNS issues listed below. Do I need to create a pointer? I did not think I did but some mentioned that I should. I also tried to add an external DNS server as a secondary server and that did not resolve the issue either instead it just created additional errors so I removed the secondary DNS server.

    For Now I will just ignore SASL warning since you said it is recommended by MS.

    Any other suggestions for the issues below would be appreciated.

    ______________________________________________________________________

    Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.internalnt.zimboy.com timed out after none of the configured DNS servers responded.
    Source: DNS Client Events
    Event ID: 1014
    _______________________________________________________________________

    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
    Source: DNS-Server_Service
    Event ID: 4013

    Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.internalnt.mydoamin.com timed out after none of the configured DNS servers responded.
    Source: DNS Client Events
    Event ID: 1014
    _______________________________________________________________________

    The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

    Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.
    Source: ActiveDirectory-DomainService
    Event ID: 2886

    _______________________________________________________________________

    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
    Source: DNS-Server_Service
    Event ID: 4013

  12. 0

    hello I am new to setting up certificates, I want to set up the service because currently remote end users are using open vpn to remote back to the network, we also have cisco vpn but do not use it for end users to get back to the office network. I was told this can be done by setting up certifcate service on the win 08r2 server,then issue certifcate to the vpn client that way the end users can use the the vpn client to log back on to network that way we have one centralized vpn client. Question can this be done, is there a lot of steps involved in getting it done, and if possible how do I go about finding out the steps to do it?

    1. @Neil: This can definitely be done. Unfortunately I don’t have an article at this time on how to do it, but you can use the “Routing and Remote Access Service”. This can be installed and configured via the roles in Server Manager. If I get the chance, I’ll post an article on this soon, but until then, try this link, it should get you started and get you some information on what you’re trying to do: http://technet.microsoft.com/en-us/library/cc754634(WS.10).aspx.

      Good luck and let me know how it goes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s