Windows Server 2012 Step by Step Book

Windows Server 2012 Step by Step

This is my first book published on December 2 2012. The following is the chapters available in detailed in the book titled “Windows Server 2012 Step by Step”

Chapter 1: Introduction to windows server 2012

Chapter 2: Installing and navigating windows server 2012

Chapter 3: Server Roles and Features

Chapter 4: Active Directory Domain Services

Chapter 5: Active Directory Certificate Services

Chapter 6: Active Directory Federation Services

Chapter 7: Active Directory Rights Management Services

Chapter 8: Networking Infrastructure

Chapter 9: Failover Clustering

Chapter 10: Remote Desktop Services

Chapter 11: Security, Protection and protection

Chapter 12: Building Private Cloud with Hyper-V

Chapter 13: Web Server (IIS)

Chapter 14: BranchCache Server configuration

Chapter 15: Routing and Remote Access Server Configuration

Chapter 16: Windows Deployment Services

Chapter 17: Windows Server Update Services

Chapter 18: Volume Activation

Chapter 19: File and Storage Services

Chapter 20: Print and Document Services

Chapter 21: Network Policy and Access Server

Chapter 22: Group Policy Object

Chapter 23: Migrating from Server 2008 to Server 2012

Chapter 24: Supporting Windows Server 2012

 

Active Directory Certificate Services Best Practices

AD CS is composed of several role services that perform several tasks. One or more of these role services can be installed on a server as required. These role services are as follows:

  • Certification Authority— This role service installs the core CA component, which allows a server to issue, revoke, and manage certificates for clients. This role can be installed on multiple servers within the same root CA chain.
  • Certification Authority Web Enrollment— This role service handles the web-based distribution of certificates to clients. It requires Internet Information Services (IIS) to be installed on the server.
  • Online Responder— The role service responds to individual client requests regarding information about the validity of specific certificates. It is used for complex or large networks, when the network needs to handle large peaks of revocation activity, or when large certificate revocation lists (CRLs) need to be downloaded.
  • Certificate Enrollment Web Service— This new service enables users and computers to enroll for certificates remotely or from non-domain systems via HTTP.
  • Certificate Enrollment Web Policy Service— This service works with the related Certificate Enrollment Web Service but simply provides policy information rather than certificates.
  • Network Device Enrollment Service— This role service streamlines the way that network devices such as routers receive certificates.

Windows Server 2012 Step by Step
Active Directory Certificate Services Hierarchy

Public Key Infrastructure must be deployed in hierarchical order to securely deliver certificates to clients, application and servers. The best way to achieve this is to deploy a Standalone Offline Root CA and Online Enterprise Subordinate CA. Offline Root CA meaning you have to shut down the CA once you obtain the CRL chain for subordinate CA. Subordinate stays powered on and joined to the domain. Offline Root CA works in a workgroup not a domain member.

Standalone offline Root CA:

Benefits:

  • Principal component of PKI infrastructure
  • Provide CRL sign off capacity for subordinate authority
  • Provide Web Enrolment for Sub-ordinate Certificate Authority
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Online Enterprise Subordinate CA

Benefits:

  • Subordinate Component of PKI infrastructure
  • Present and issue Certificates to clients
  • Sign off Web Certificates for application
  • Management point of Certificate Infrastructure
  • Maintain CAPolicy.inf to record OID and certificate authority validity period

Certificate Services Best practices

  • Analyze and plan necessity of Active Directory Certificates or public key infrastructure (PKI) in your organization before deploying certification authorities (CAs)
  • Place database and transaction log files on separate hard drives possibly SAN
  • Keep the root certification authority offline and secure its signing key by hardware and keep it in a vault to minimize potential for key compromise
  • When changing security permissions for the certification authority (CA), always use the Certification Authority snap-in
  • Do not issue certificates to users or computers directly from the root certification authority
  • Always point client to subordinate certificate any certificates
  • Back up the CA database, the CA certificate, and the CA keys
  • Ensure that key lifetimes are long enough to avoid renewal issues
  • Review the concepts of security permissions and access control, since enterprise certification authorities issue certificates based on the security permissions of the certificate requester
  • Use Secure Sockets Layer (SSL) when using Web-based certificate enrollment

Certificate Provider

You have to select RSA#Microsoft Software Key Storage Provider” with sha1 if there is any Windows XP Client otherwise select RSA#Microsoft Software Key Storage Provider” with sha256 as certificate provider.

Cryptographic Key Length

Use 2048 bit cryptographic length for both offline Root CA and Subordinate CA.

Templates

  • Plan certificate templates before deployment
  • Only Publish templates that are necessary
  • Duplicate new templates from existing templates closest in function to the intended template
  • Do not exceed the certificate lifetime of the issuing certification authority
  • Do not delete the Certificate Publishers security group

Validity Period

  • Offline Standalone Root CA- 10 Years
  • Online Enterprise Subordinate CA- 10 Years

Revocation List

The following sections summarize how certificate revocation checking works.

  • Basic chain and certificate validation
  • Validating revocation information
  • Network retrieval and caching

Revocation Best Practice

  • Leave the default revocation checking behavior instead of using CRLs for revocation checking
  • Instead of creating long listings of URLs for OCSP and CRL retrieval, consider limiting the lists to a single OCSP and a single CRL URL
  • Use CryptoAPI 2.0 Diagnostics to Troubleshoot Revocation Settings
  • Use Group Policy to Define Revocation Behavior

Audit Policy

Select the following Audit Policy for both Certificate Authority

  • Backup and restore the CA database
  • Change CA configuration
  • Change CA security settings
  • Issue and manage certificate request
  • Revoke certificates and publish CRL

Backup Certificate Authority

  • Backup Public Key
  • Backup CA database
  • Retention: Daily increment/Monthly Full

Security Permission on Template

The following table summarize certificate security permission in AD CS.

Domain Computers Auto-Enroll Read Only
Domain Users Auto-Enroll Read Only
Wintel Administrator Full Control Full Control

Security Permission on Servers

You must create role separation in Active Directory Certificate Services to provide greater control on Certificate Authority. To enable Role separation, Open Elevated command prompt and type certutil -setreg caRoleSeparationEnabled 1. The following table describe role separation for AD CS.

CA Administrator Full Permission
Certificate Manager Issue and Manage Certificates
Auditor Manage auditing and security logLocal Security Settings/ Security Settings/Local Policies/User Rights Assignments
Backup Operator Back up file and directories

Local Security Settings/ Security Settings/Local Policies/User Rights Assignments

Enrollees Authenticated Users

The Following are the messy configurations you must avoid when installing a Certificate Authority.

  • Do not install Certificate Authority on any Domain Controller or server with other roles unless you are a small business and you have only one or two servers in your organization. In this case, you don’t have any choice.
  • Do not install both certificate authority in two different operating systems such as Windows Server 2003 and Windows Server 2008.
  • Do not keep CAs in different patch and update level.
  • Do not use 1024 bit encryption length.

Relevant Articles:

Microsoft Active Directory Best Practice Part II

Microsoft Active Directory—Best Practice

Love My Blog Stats

Total Stats

clip_image002

Blog Referrer

clip_image003

Most viewed articles:

clip_image004

Microsoft Active Directory Best Practice Part II

I have written Active Directory Best Practice last year. I received huge feedback on this article. Recently I had to deal with an Active Directory disaster. I believe time is perfect to write part II on this same topics and educate others so that they learn Active Directory and prepare themselves for disaster recover.  In this article I am also writing about Active Directory Design and the elements of the design. You may think you know Active Directory but have a look what you don’t know!

Readers who may benefit from this article:

Technical Architect, Systems Engineer, Systems Administrator, Active Directory Designer

Active Directory FSMO Role Design Best Practice

Scope of AD Design

  1. Provide Compliance, Governance and Oversee Network Authentication
  2. Secure Servers, Users and Computers
  3. Provide DNS Resolution
  4. Create central repository of all IT objects and assets

What are the elements of Active Directory Design?

  1. Forest Plan
  2. Domain Plan
  3. Organizational Unit Plan
  4. Site and Services Plan

1. Key Consideration for Forest Plan

• Determine the number of forests for your network
• Create a forest change control policy
• Understand the impact of changes to the forest after deployment

Multi-Master Model:

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, “the last writer wins”), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the “last writer wins” approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. For certain types of changes, Windows incorporates methods to prevent conflicting Active Directory updates from occurring.

Single-Master Model:

To prevent conflicting updates in Microsoft AD, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows, in which the PDC is responsible for processing all updates in a given domain.
Microsoft Active Directory extends the single-master model found in earlier versions of Windows to include multiple roles, and the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active Directory role is not bound to a single DC, it is referred to as a Flexible Single Master Operation (FSMO) role. Currently in Windows there are five FSMO roles:

  • Schema master
  • Domain naming master
  • RID master
  • PDC emulator
  • Infrastructure daemon

2. Domain Plan

The domain plan is perhaps the most complicated aspect of the Active Directory design process. The planning process described below is divided into three parts:
• Determining the number of domains
• DNS and Domain Names
• Post Deployment Change management

Who are the administrator and who are delegated in Active Directory?

• Current domain administrators who are responsible for user accounts, groups, and computers
• Teams that manage and monitor the physical networks
• Team that manage DNS
• Security teams

The steps to creating a domain plan for a forest are:
• Determine the number of domains in each forest
• Choose a forest root domain
• Assign a DNS name to each domain to create a domain hierarchy
• Plan DNS server deployment
• Optimize authentication with short cut trusts
• Understand the impact of changes to the domain plan after deployment

Active Directory domains are named with DNS names that are the locator services for the Active Directory. Clients query DNS to locate services such as LDAP and Kerberos Key Distribution Centers. Also, a client uses DNS to determine what site it is in and what site its domain controller is in.

3. Organization Unit Plan

OU is the logical presentation of Company organogram, departmental organogram and Site/divisional organogram. OU design and planning is another very complex aspect of the design. However, changes to the design after deployment, are relatively easy to accomplish. A well-designed OU plan will ensure a return on investment for your AD effort. The decisions on OU design, GPO, security groups, and delegation are critical; however these aspects of AD are designed to handle the changes to your directory.

Here are some reasons why complexity should be handled at the OU level.
• Changing the OU Structure is fairly easy
• OUs are very flexible when used in conjunction with security groups and Group Policy Objects
• OUs offer a type of security boundary
• GPOs as a parent OU are inherited by a child OU (remember this does not happen at the domain level: a child domain does not inherit policy from its parent domain in the domain name space)
• OUs can be delegated administration rights, thus saving the cost of adding a domain just for administrative reasons
• The initial OU design requirements can be influenced by the down level domain migration requirements. The OU infrastructure can be redesigned after the migration

4. Site and Services Plan

An Active Directory site topology is a logical representation of a physical networks (WAN & LAN). Site topology is defined on a per-forest basis. Active Directory clients and servers use the site topology of a forest to route query and replication traffic efficiently. A site topology also helps you to decide where to place domain controllers on your network. Keep the following definition in mind when designing the site plan.

A site is defined as a set of IP sub networks connected by fast reliable connectivity. As a rule of thumb, networks with LAN speed or better are considered as fast networks.

To create a site topology for a forest, use the following process:

  • Define sites and site links using your physical topology as a starting point. (Site links are connection objects, used to connect two sites, which are normally connected as a Wide Area Network)
  • Place servers into sites
  • Understand how changes to your site topology after deployment will impact end users

How many parties involve in Site Design

  • Teams that manage and monitor the TCP/IP networks. (Network Team)
  • Domain administrators for each domain in the forest (Wintel Team)
Writable DC or RODC?

Certain domain and enterprise-wide operations that are not well suited to multi-master updates must be performed on a single domain controller in the domain or in the forest. The purpose of having a single-master owner is to define a well-known target for critical operations and to prevent the introduction of conflicts or latency that could be created by multi-master updates. Having a single-operation master means that the relevant FSMO role owner must be online, discoverable, and available on the network by computers needing to perform FSMO dependent operations.

As per above statement, you can adopt HUB-SPOKE model with writable DC in Head Office and RODC in Site office with small number of users. However if you have sites with many users accessing DFS data, Printing and NTFS files randomly than its better to have writable DCs in all sites as well. If you are using MPLS service such as Telstra IP-WAN enterprise managed network than you definitely on a mesh WAN topology in that case you can happily have writable DCs on sites with mesh topology configured AD Sites and Services. However you are in SMB market with only several sites and low bandwidth than I would recommend RODC as your site domain controller.

 Relate the design with your organization or corporate scenario

• Design 1: Single Forest with a Single Domain
• Design 2: Single Forest with Multiple Domains
• Design 3: Multiple Forests

Ask yourself/client the following questions and find correct answer not reasonable answer

• How many Forests?
• How Many Domains?
• What is the best DNS Design for the Domain Name space?
• What are the Security verses Ease of Management Tradeoffs?

Understand FSMO Role Holder’s tasks and functionality: The operations masters, their scope and functionality are shown in the following table.

FSMO Role Scope
Function and availability requirements
Schema Master
Enterprise
  • Used to introduce manual and programmatic schema updates, and this includes those updates that are added by Windows ADPREP /FORESTPREP, by Microsoft Exchange, and by other applications that use Active Directory Domain Services (AD DS).
  • Must be online when schema updates are performed.
Domain Naming Master Enterprise
  • Used to add and to remove domains and application partitions to and from the forest.
  • Must be online when domains and application partitions in a forest are added or removed.
Primary Domain Controller
Domain
  • Receives password updates when passwords are changed for the computer and for user accounts that are on replica domain controllers.
  • Consulted by replica domain controllers that service authentication requests that have mismatched passwords.
  • Default target domain controller for Group Policy updates.
  • Target domain controller for legacy applications that perform writable operations and for some admin tools.
  • Must be online and accessible 24 hours a day, seven days a week.
RID Domain
  • Allocates active and standby RID pools to replica domain controllers in the same domain.
  • Must be online for newly promoted domain controllers to obtain a local RID pool that is required to advertise or when existing domain controllers have to update their current or standby RID pool allocation.
Infrastructure Master
Domain
Application partition
  • Updates cross-domain references and phantoms from the global catalog. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 248047 Phantoms, tombstones and the infrastructure master
  • A separate infrastructure master is created for each application partition including the default forest-wide and domain-wide application partitions created by Windows Server 2003 and later domain controllers.
    The Windows Server 2008 R2 ADPREP /RODCPREP command targets the infrastructure master role for default DNS application in the forest root domain. The DN path for this role holder is CN=Infrastructure,DC=DomainDnsZones,DC=<forest root domain>,DC=<top level domain> and CN=Infrastructure,DC=ForestDnsZones,DC=<forest root domain>,DC=<top level domain>.

Who owns what FSMO Roles & Where to place FSMO Roles

When the Active Directory Installation Wizard (Dcpromo.exe) creates the first domain in a new forest, the wizard adds five FSMO roles. A forest with one domain has five roles. The Active Directory Installation Wizard adds three domain-wide roles on the first domain controller in each additional domain in the forest. In addition, infrastructure master roles exist for each application partition. This includes the default domain and the forest-wide DNS application partitions that are created on Windows Server 2003 and on later domain controllers.

The Active Directory Installation Wizard performs the initial placement of roles on domain controllers. This placement is frequently correct for directories that have just a few domain controllers. In a directory that has many domain controllers, the default placement may not be the best match for your network.

Consider the following in your selection criteria:

  • It is easier to keep track of FSMO roles if you host them on fewer computers.
  • Place roles on domain controllers that are can be accessed by the computers that need access to a given role, especially on networks that are not fully routed. For example, to obtain a current or standby RID pool, or perform pass-through authentication, all DCs need network access to the RID and PDC role holders in their respective domains.
  • If a role has to be moved to a different domain controller, and the current role holder is online and available, you should transfer (not seize) the role to the new domain controller. FSMO roles should only be sized if the current role holder is not available.
  • FSMO roles that are assigned to domain controllers that are offline or in an error state only have to be transferred or seized if role-dependent operations are being performed. If the role holder can be made operational before the role is needed, you may delay seizing the role. If role availability is critical, transfer or seize the role as required. The PDC role in each domain should online 24×7.
  • Select a direct intra-site replication partner for existing role holders to act as a standby role holder. If the primary owner goes offline or fails, transfer or seize the role to the designated standby FSMO domain controller as required.
General recommendations for FSMO placement
  • Place the schema master on the PDC of the forest root domain.
  • Place the domain naming master on the forest root PDC.
    The addition or removal of domains should be a tightly controlled operation. Place this role on the forest root PDC. Certain operations that use the domain naming master, such as creating or removing domains and application partitions, fail if the domain naming master is not available. On a domain controller that runs Microsoft Windows 2000, the domain naming master must also be hosted on a global catalog server. On domain controllers that run Windows Server 2003 or later versions, the domain naming master does not have to be a global catalog server.
  • Place the PDC on your best hardware in a reliable hub site that contains replica domain controllers in the same Active Directory site and domain.
  • In large or busy environments, the PDC frequently has the highest CPU utilization because it handles pass-thru authentication and password updates. If high CPU utilization becomes a problem, identify the source, and this includes applications or computers that may be performing too many operations (transitively) targeting the PDC.
  • All domain controllers in a given domain, and computers that run applications and admin tools that target the PDC, must have network connectivity to the domain PDC.
  • Place the RID master on the domain PDC in the same domain.
    RID master overhead is light, especially in mature domains that have already created the bulk of their users, computers, and groups. The domain PDC typically receives the most attention from administrators, therefore, co-locating this role on the PDC helps insure good availability. Make sure that existing domain controllers and newly promoted domain controllers, especially those promoted in remote or staging sites, have network connectivity to obtain active and standby RID pools from the RID master.
  • Legacy guidance suggests placing the the infrastructure master on a non-global catalog server. There are two rules to consider:
    • Single domain forest:
      In a forest that contains a single Active Directory domain, there are no phantoms. Therefore, the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.
    • Multi-domain forest:
      If every domain controller in a domain that is part of a multi-domain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain. In practical terms, most administrators host the global catalog on every domain controller in the forest.
    • If every domain controller in a given domain that is located in a multi-domain forest does not host the global catalog, the infrastructure master must be placed on a domain controller that does not host the global catalog.

Techniques to reduce CPU include the following:

  • adding more or faster CPUs
  • Adding additional replicas
  • Adding additional memory to cache Active Directory objects
  • Removing the global catalog to avoid global catalog lookups
  • Reducing the number of incoming and outgoing replication partners
  • Increasing the replication schedule
  • Reducing authentication visibility by using LDAPSRVWEIGHT and LDAPPRIORITY that is described in KB296716 and the Randomize1CList described in KB231305

In short human readable English language I would recommend follow the following FSMO roles structure.

Domain Controller 1: Place the two forest roles on this server.

  • Schema Master
  • Domain Master

Domain Controller 2 Place the three domain roles on this server.

  • RID Master
  • Infrastructure Master
  • PDC Emulator

Global Catalog Rules:

Rule#1: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC’s event log.

Rule#2: If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. In simple plain English yes you configure IM FSMO role holder a GC if all DCs are GC.

Group Policy Hierarchy Best Practice:

Group Policy(s) will flow down a hierarchy in the following order:
• Site
• Domain
• OU

The following are key element of Active Directory Users and Computer Policy:

• Password Policies, such as password length, password expiry interval and so forth
• Account Lockout Policies
• Kerberos policies
• Encrypted file system recovery policies
• IP security policies
• Public Key encryption policies
• Certificate authorities

Default Domain Policy determination

  • Encrypted File System Recovery Policies
  • IP Security Policies
  • Public Key Infrastructure Policies
  • Certificate Authorities
  • Password Policy
  • Account Lockout Policy
  • Kerberos Policies

How long can a PDC and DC be offline? In theory, you can take PDC master offline for tombstone lifetime period and get away with warnings, but without breaking anything.
By default the DCs will look for PDCE as authoritative time source and you will have issues related to editing GPOs, but as long as you do not have legacy clients, you can take the PDCE down for up to 60 days pre-W2K3 SP1 environment (DCs) and for 180 days if all the DCs are W2K3 SP1.

Another issue would have to do with password chaining – if PDCE is down, you might get temporary authentication failures after changing user passwords. see the KB for details on how password chaining works.

However in practice you shouldn’t shutdown a DC for longer than necessary that may create lot of issues such as replication issue and authentication issues for site users. You can patch and update a domain controller using SCCM/WSUS and reboot the DC without any issues.

Transferring the Flexible Single Master Operation Role

The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller, but is not initiated automatically by the operating system. This includes a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process–this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example.

In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change.

Operational attributes are attributes that translate into an action on the server. This type of attribute is not defined in the schema, but is instead maintained by the server and intercepted when a client attempts to read or write to it. When the attribute is read, generally the result is a calculated result from the server. When the attribute is written, a pre-defined action occurs on the domain controller.

The following operational attributes are used to transfer FSMO roles and are located on the RootDSE (or Root DSA Specific Entry–the root of the Active Directory tree for a given domain controller where specific information about the domain controller is kept). In the operation of writing to the appropriate operational attribute on the domain controller to receive the FSMO role, the old domain controller is demoted and and the new domain controller is promoted automatically. No manual intervention is required. The operational attributes that represent the FSMO roles are:

becomeRidMaster
becomeSchemaMaster
becomeDomainMaster
becomePDC
becomeInfrastructureMaster

If the administrator specifies the server to receive the FSMO role using a tool such as Ntdsutil, the exchange of the FSMO role is defined between the current owner and the domain controller specified by the administrator.
When a domain controller is demoted, the operational attribute “GiveAwayAllFsmoRoles” is written, which triggers the domain controller to locate other domain controllers to offload any roles it currently owns. Windows 2000 determines which roles the domain controller being demoted currently owns and locates a suitable domain controller by following these rules:

  1. Locate a server in the same site.
  2. Locate a server to which there is RPC connectivity.
  3. Use a server over an asynchronous transport (such as SMTP).

In all transfers, if the role is a domain-specific role, the role can be moved only to another domain controller in the same domain. Otherwise, any domain controller in the enterprise is a candidate.

Seizing the Flexible Single Master Operation Role

Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment.
When the administrator seizes an FSMO role from an existing computer, the “fsmoRoleOwner” attribute is modified on the object that represents the root of the data directly bypassing synchronization of the data and graceful transfer of the role. The “fsmoRoleOwner” attribute of each of the following objects is written with the Distinguished Name (DN) of the NTDS Settings object (the data in the Active Directory that defines a computer as a domain controller) of the domain controller that is taking ownership of that role. As replication of this change starts to spread, other domain controllers learn of the FSMO role change.

Primary Domain Controller (PDC) FSMO:

LDAP://DC=MICROSOFT,DC=COM

RID Master FSMO:

LDAP://CN=Rid Manager$,CN=System,DC=MICROSOFT,DC=COM

Schema Master FSMO:

LDAP://CN=Schema,CN=Configuration,DC=Microsoft,DC=Com

Infrastructure Master FSMO:

LDAP://CN=Infrastructure,DC=Microsoft,DC=Com

Domain Naming Master FSMO:

LDAP://CN=Partitions,CN=Configuration,DC=Microsoft,DC=Com

For example, if Server1 is the PDC in the MicrosoftGuru.com.au domain and is retired and the administrator is unable to demote the computer properly, Server2 needs to be assigned the FSMO role of the PDC. After the seizure of the role takes place, the value

CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Microsoft,DC=Com

is present on the following object:  LDAP://DC=Domain,DC=COM,DC=AU

How to Fix ForestDnsZones and DomainDnsZones after failed demotion attempt

cscript fixfsmo.vbs DC=DomainDnsZones,DC=contoso,DC=com

cscript fixfsmo.vbs DC=ForestDnsZones,DC=contoso,DC=com

Can I change Active Directory Schema using ADSIEDIT? yes you can change Active Directory Schema using ADSIedit tools.  

Microsoft recommend that you transfer FSMO roles in the following scenarios:

  • The current role holder is operational and can be accessed on the network by the new FSMO owner.
  • You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
  • The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.

Microsoft recommend that you seize FSMO roles in the following scenarios:

  • The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred.
  • A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.
  • The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.

The partition for each FSMO role is in the following list: 

FSMO role
Partition
Schema
CN=Schema,CN=configuration,DC=microsoftguru,dc=com,dc=au
Domain Naming Master
CN=configuration,DC=microsoftguru,dc=com,dc=au
PDC
DC=microsoftguru,dc=com,dc=au
RID DC=microsoftguru,dc=com,dc=au
Infrastructure DC=microsoftguru,dc=com,dc=au

How to View/create/remove a new global catalog on the destination global catalog server

  1. On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in. To start the snap-in, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console tree, double-click Sites, and then double-click sitename.
  3. Double-click Servers, click your domain controller, right-click NTDS Settings, and then click Properties.
  4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server. Deselect the Global Catalog check box to remove GC from the DC.
  5. Restart the domain controller.

 How to view and transfer FSMO roles in Windows Active Directory

  1. Click Start, and then click Run.
  2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
  3. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

  1. Click Start, click Run, type mmc in the Open box, and then click OK.
  2. On the File, menu click Add/Remove Snap-in.
  3. Click Add.
  4. Click Active Directory Schema, click Add, click Close, and then click OK.
  5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
  6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
  7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
  8. Click Change.
  9. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

  1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
  2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
    NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
  3. Do one of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
      -or-
    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
  5. Click Change.
  6. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
    NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
  3. Do one of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
      -or-
    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
  5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
  6. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer FSMO roles using ntdsutil

  • Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  • Type roles, and then press ENTER
  • Type connections, and then press ENTER
  • Type Connect to Server ServerName and Press Enter
  • At the server connections prompt, type q, and then press ENTER
  • Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER,
  • At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

  • Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  • Type roles, and then press ENTER.
  • Type connections, and then press ENTER.
  • Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
  • At the server connections prompt, type q, and then press ENTER.
  • Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER,
  • At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
    Notes

Important KBs and Readings

 

Repadmin Examples and Dcdiag Examples

Best Practices Analyzer for Active Directory Domain Services

Microsoft Premier Field Engineering Platform Reporting Tool (MPS_REPORTS)

Microsoft Product Support Reports Viewer 2.0

Best Practice Active Directory Design for Managing Windows Networks

Windows 2000 Active Directory FSMO roles

FSMO placement and optimization on Active Directory domain controllers

Flexible Single Master Operation Transfer and Seizure Process

Phantoms, tombstones and the infrastructure master

How to view and transfer FSMO roles in Windows Server 2003

Managing Operations Master Roles

How to remove data in active directory after an unsuccessful domain controller demotion

FSMO placement and optimization on Windows 2000 domain controllers

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

Windows Server 2008 R2 Active Directory Certificate Services Deep Dive

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN

Create a text file using notepad. copy the following content and paste inside the text file and save as request.inf.

;copy from here

[Version]

Signature=”$Windows NT$

[NewRequest]
Subject = “CN=myserver.microsoftguru.com.au” ; must be the FQDN of domain controller
EncipherOnly = FALSE ; only for Win2k3 & WinXP
Exportable = TRUE  ; TRUE = Private key is exportable
KeyLength = 2048    ; Common key sizes: 2048, 4096, 8192, 16384
KeySpec = 1             ; Key Exchange
KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC ; or PKCS10

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]

; If your client operating system is Win2k8,Win Vista, Win7

; SANs can be included in the Extensions section by using the following text format.

;Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = “{text}”

_continue_ = “dns=Exchange1.microsoftguru.com.au&”

_continue_ = “dn=CN=Exchange1,OU=My Servers,DC=microsoftguru,DC=com,DC=au&”

_continue_ = “url=http://myserver.microsoftguru.com.au&”

_continue_ = “ipaddress=172.31.10.134&”

_continue_ = email=test@microsoftguru.com.au&

_continue_ = upn=test@microsoftguru.com.au&

_continue_ = “guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&”    

;Alternatively you create a SAN attribute using a script provided in KB

; use text format or encrypted format of SAN. 2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==

[RequestAttributes]

; Multiple alternative names must be separated by an ampersand (&).

;In the example I have shown two different types of SAN. Use only one type of SAN.

;Asterisk *.yourdomainname.com.au is used for Wildcard certificates.

SAN=”dns=exchange1.microsoftguru.com.au&dns=www.microsoftguru.com.au&ipaddress=172.31.10.130″

SAN=”dns=webmail.microsoftguru.com.au&dns=*.microsoftguru.com.au&dns=autodiscover.microsoftguru.com.au”

CertificateTemplate = WebServer

; change template name depending on your environment.

; remove “;” from request.inf file. file ends here.

Important Note: Some third-party certification authorities (For examples ISPs who sell SSL certificate) may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject=”E=test@microsoftguru.com.au, CN=<FQDN of server>, OU= My Servers, O=Microsoftguru, L=Perth, S=WA, C=AU.” Amend Request.inf as per your need. For a standard certificate request you can omit SAN, [Extensions] and[EnhancedKeyUsageExtension] section.

Open a command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new c:request.inf c:certnew.req

At the command prompt, type the following command, and then press ENTER:

certreq -submit c:certnew.req c:certnew.cer

If there is more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you do not use the -config switch, you will be prompted to select the CA to which the request should be submitted.

certreq -submit -config “DC.microsoftguru.com.auMYCA” c:certnew.req c:certnew.cer

Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:

certreq -retrieve RequestID c:certnew.cer

You can also use the -config switch here to retrieve the certificate request from a specific CA.

At the command prompt, type the following command, and then press ENTER:

certreq -accept c:certnew.cer

This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in previous step.

How to configure a CA to accept a SAN attribute from a certificate request

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

To repair a certificate
  1. If you are using a network HSM, complete steps 8 through 10 to repair the association between the imported CA certificate and the private key that is stored in the HSM.

  2. In the console tree, double-click Personal Certificates, and click the imported CA certificate.

  3. On the Action menu, click Open. Click the Details tab, copy the serial number to the Clipboard, and then click OK.

  4. Open a Command Prompt window, type certutil –repairstore My “{Serialnumber}” and then press ENTER.

image

How to enable secure certificate enrolment in certificate authority

Step1: Create request.inf file using WebServer template

Step2: Generate a web server certificate request.req file using certreq.exe tools

certreq -new c:request.inf c:request.req

Step3: Submit the request.req file using certreq.exe or CA Management Console. Save certificate.cer

Open CA MMC>Select CA server>Right click on CA Server>Click All Task>Submit a new request

Point the location c:request.req and submit. you will be prompted to save certificate.

image

Step4: Import the certificate into certificate authority

Start Microsoft Management Console (MMC). Add the Certificates snap-in that manages certificates on the local computer.

Expand Certificates (Local Computer), expand Personal, and then expand Certificates. Right Click Import certificate you saved in previous steps.

Step5: Open IIS Management Console>Select Default Web Site>Click Bindings from Action Pan>Click Add>Select HTTPS>Select the certificate you just imported in previous step. Click OK.

image

image

image

Step6: Run iisreset /restart from command prompt

Step7: Test https://MYCA/certsrv

How to use secure Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

  1. Open Internet Explorer. In Internet Explorer, connect to https://MYCA/certsrv.
  2. Click Request a Certificate.>Click Advanced certificate request.

image

  1. Click request a certificate
  2. In the Certificate Template list, click Web Server. Note The CA must be configured to issue Web Server certificates.
  3. Provide identifying information as required.
  4. In the Name box, type the fully qualified domain name FQDN of the server.
  5. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024 – 16384
    • Automatic key container name
    • Store certificate in the local computer certificate store

Under Advanced Options, set the request format to CMC. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

san:dns=dns.name[&dns=dns.name]

image

Multiple DNS names are separated by an ampersand (&). For example, if the name of the server is myserver.microsoftguru.com.au and the alias are autodiscover.microsoftguru.com.au and webamil.microsoftguru.com.au, these names must be included in the SAN attributes. The resulting attribute string appears as follows:

san:dns=myserver.microsoftguru.com.au&dns=myweb.microsoftguru.com.au&dns=mysite.microsoftguru.com.au

 

image

Click Submit. If you see the Certificate Issued Web page, click Install this Certificate.

My preferred way to request a certificate is to create a .req file shown in previous steps. open .req file in a notepad and copy the contents. click submit a certificate request by using base 64-encode

image

Paste the contents into base 64-encode. Select web server template. click submit.

image

Now obtain certificate click yes.

image

to download certificate with root CA CRL  click Download certificate chain in p7b format

to download only certificate click download certificate and save.

image

How to configure Private Key in Certificate Authority and Export Private Key

1. Open CA MMC from Administrative Tools>Right Click on Certificate Template>Click Manage

image

2. Select WebServer Template>Right Click on WebServer Template>Click Duplicate Template>Select Win2k3 or Win2k8 OS Version>Type Template Name as WebServer With Private Key in General Tab

3. Click Request Handling Tab>Check Allow private key to be exported

 image

4. Click Security Tab> Allow appropriate security for the person who will enroll and export the certificates

image

5. Click Ok. Close CA MMC.

6. Create a WebServer Request.inf. Create Request.req file

7. Submit WebServer request to https://myca/certsrv . Download and install certificate.

To export a certificate with the private key

1.Open Certificate Manager by clicking the Start button>Search Box>Type certmgr.msc, and then pressing ENTER.‌

2. Go to Certificates-Current UserPersonalCertificates>Select Certificate you would like to export.

3. On the Action menu, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Yes, export the private key.

Note that this option will appear only if the private key is marked as exportable in request.inf file and you have access to the private key.

4. Under Export File Format, do one or all of the following, and then click Next.

  • To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box.
  • To delete the private key if the export is successful, select the Delete the private key if the export is successful check box.

5. In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.

6. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish.

How to import Private Key

  1. Click Start Menu>Search Box>Click mmc.msc>Click Certificates>Add Computer Account>Click OK.

  2. Click a folder, click the Action menu, point to All Tasks, and then click Import.

image

3. Browse to the location where you exported certificates>Select Certificate>Provide password to import the certificate.

4. Click Next, and then follow the instructions.

Playing with AD CS Administration Cmdlets in Windows PowerShell

The following Windows PowerShell® cmdlets that are for use in administering the Active Directory Certificate Services (AD CS) certification authority (CA) role service in Windows Server® “8” Beta.

  • Import-Module ServerManager – Imports the Server Manager module that provides the Add-WindowsFeature cmdlet.
  • Add-WindowsFeature Adcs-Cert-Authority – Adds the Certification Authority role service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Pol – Adds the Certificate Enrllment Policy Web Service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Svc – Adds the Certificate Enrollment Web Service binaries.
  • Add-WindowsFeature Adcs-Web-Enrollment – Adds the Certification Authority Web Enrollment role service binaries.
  • Add-WindowsFeature Adcs-Device-Enrollment – Adds the Network Device Enrollment Service binaries.
  • Add-WindowsFeature Adcs-Online-Cert – Adds the Online Responder role service binaries.
  • Get-Command -Module AdcsDeployment – Displays all the cmdlets that are associated with AD CS Deployment.

Disaster recovery or Migrate procedure of Active Directory Certificate Authority:

Moving a CA from one computer to a second computer involves the following procedures:

  • Backing up the CA on the first computer
  • Restoring the CA on the second computer

You must be a member of domain admins security group to perform the following operation. To move a CA from a server that is running Windows Server 2003 to a server that is running Windows Server 2008, you can either complete the Windows upgrade first and then move the CA or move the CA first and then upgrade Windows.

  • To upgrade Windows first: Upgrade the first server from Windows Server 2003 to Windows Server 2008, back up the CA on this server, and then restore the CA on a second server running Windows Server 2008.
  • To move the CA first: Back up the CA on a computer running Windows Server 2003, restore the CA on a second computer running Windows Server 2003, and then upgrade the second server to Windows Server 2008.

To back up a CA

  1. Open the Certification Authority snap-in.

  2. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

image

3. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Specify the backup location, and then click Next.

image

4. Type a password for the CA private key backup file, and type it a second time to confirm the password. then click Finish

image

5. Click Start, click Run, type regedit, and then click OK. Locate and right-click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration

 

image

6. Click Export. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.

7. Backup the CA logs from the D:WinntSystem32Certlog folder, you must restore the backup to the D:WinntSystem32Certlog folder. After you restore the backup, you can move the CA database files to a different location.

image

8. In addition of above steps back up CAPolicy.inf . If your source CA is using a custom CAPolicy.inf file, you should copy the file to the same location as the source CA backup files. The CAPolicy.inf file is located in the %SystemRoot% directory, which is usually C:Windows.

To back up a CA database and private key by using Certutil.exe
  1. Log on with local administrative credentials to the CA computer.

  2. Open a Command Prompt window.

  3. Type Certutil.exe –backupdb <BackupDirectory> and press ENTER.

  4. Type Certutil.exe –backupkey <BackupDirectory> and press ENTER.

  5. Type a password at the prompt, and press ENTER. You must retain a copy of the password to access the key during CA installation on the destination server.

  6. Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service. The service must be stopped to prevent issuance of additional certificates.

  7. After the backup completes, verify the following files in the location you specified:

    • CAName.p12 containing the CA certificate and private key
    • Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb
  8. Copy all backup files to a location that is accessible from the destination server; for example, a network share or removable media.

How to remove the CA role service from the source server

It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.

The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.

Highly Recommended Tasks. Staging a certificate restore is most import part before you decommission existing certificate server. Create a isolated environment similar to your Active Directory Domain Services. Add new Certificate Authority and restore the database and private key. test certificates, templates, registry and private key whether it is similar to your Production infrastructure. Once you happy and restoration tasks complete successfully you can decommission certificate authority. if source certificate authority is virtual than I would recommend you to take a snapshot before you remove the CA role.

  • To remove the CA on a computer running Windows Server 2003, use the Add/Remove Windows Components wizard.
  • To remove the CA on a computer running Windows Server 2008, use the Remove Roles Wizard in Server Manager.

To restore a CA on a new server from a backup copy

  1. Open Server Manager, and click Active Directory Certificate Services. Click Next two times.

  2. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  3. On the Specify Setup Type page, click either Standalone or Enterprise, and then click Next.

    noteNote You must have a network connection to a domain controller in order to install an enterprise CA.

  4. On the Specify CA Type page, click the appropriate CA type, and then click Next.

  5. On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.

  6. On the Select Existing Certificate page, click Import, type the path of the .P12 file in the backup folder, type the password that you chose in the previous procedure to protect the backup file, and then click OK.

  7. In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.

  8. Click Next two times.

  9. On the Configure Certificate Database page, specify the same location for the certificate database and certificate database log as on the previous CA computer. Click Next.  On the Confirm Installation Options page, review all of the configuration settings> click Install and wait until the setup process has finished.

  10. Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly. Verify the registry in the following location. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc

11. Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.

12. Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open the Certification Authority Restore Wizard.

image

13 Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Type the backup folder location, and then click Next. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed. Click Finish, and then click Yes to restart AD CS when the CA database is restored.

To restore the CA database by using Certutil.exe
  1. Log on to the destination server by using an account that is a CA administrator.

  2. Open a Command Prompt window.

  3. Type certutil.exe -f -restoredb <CA Database Backup Directory> and press ENTER.

To Restoring the certificate templates list

Log on with administrative credentials to the destination CA.

  1. Open a command prompt window.

  2. Type certutil -setcatemplates +<templatelist> and press ENTER.

ImportantImportant ! Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.

Verify registry location and Configuration parameters are: 

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfiguration

  • DBDirectory
  • DBLogDirectory
  • DBSystemDirectory
  • DBTempDirectory
  • DBSessionCount

image

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfigurationCAname

  • CACertPublicationURLs
  • CRLPublicationURLs

image

 

Granting permissions on AIA and CDP containers

If the name of the destination server is different from the source server, the destination server must be granted permissions on the source server’s CDP and AIA containers in AD DS to publish CRLs and CA certificates. Complete the following procedure in the case of a server name change.

To grant permissions on the AIA and CDP containers
  1. Open Active Directory Sites and Services> In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, expand Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply.

  6. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

  7. In the console tree, expand CDP, and then click the name of the source server.

  8. In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties.

image

4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

6. Repeat steps 13 through 18 for each cRLDistributionPoint item.

Additional procedures for failover clustering

  • CA Role must be installed on both nodes

  • Stop Active Directory Certificate Services from Services.msc

  • Ensure shared storage is online.

  • certificate store and logs must be placed in shared storage.

To verify shared storage is online

  1. Log on to the destination server. Start Server Manager.

  2. In the console tree, double-click Storage, and click Disk Management.

  3. Ensure that the shared storage is online and assigned to the node you are logged on to.

To configure AD CS as a cluster resource

Follow Configure Microsoft Fail over Cluster URL to create and configure a cluster.

  1. Open Failover Cluster Manager from Administrative Tools> Right Click on newly created cluster node>click Configure a service or Application. If the Before you begin page appears, click Next.

  2. In the list of services and applications, select Generic Service, and click Next.

  3. In the list of services, select Active Directory Certificate Services, and click Next.

  4. Specify a service name, and click Next. Select the disk storage that is still mounted to the node, and click Next.

  5. To configure a shared registry hive, click Add, type SYSTEMCurrentControlSetServicesCertSvc, and then click OK. Click Next twice.

  6. Click Finish to complete the failover configuration for AD CS.

  7. In the console tree, double-click Services and Applications, and select the newly created clustered service.

  8. In the details pane, click Generic Service. On the Action menu, click Properties.

  9. Change Resource Name to Certification Authority, and click OK.

If you use a hardware security module (HSM) for your CA, complete the following procedure.

To create a dependency between a CA and the network HSM service
  1. Open the Failover Cluster Management snap-in. In the console tree, click Services and Applications.

  2. In the details pane, select the previously created name of the clustered service.

  3. On the Action menu, click Add a resource, and then click Generic Service.

  4. In the list of available services displayed by the New Resource wizard, click the name of the service that was installed to connect to your network HSM. Click Next twice, and then click Finish.

  5. Under Services and Applications in the console tree, click the name of the clustered services.

  6. In the details pane, select the newly created Generic Service. On the Action menu, click Properties.

  7. On the General tab, change the service name if desired, and click OK. Verify that the service is online.

  8. In the details pane, select the service previously named Certification Authority. On the Action menu, click Properties.

  9. On the Dependencies tab, click Insert, select the network HSM service from the list, and click OK.

To grant permissions on public key containers: If you are migrating to a failover cluster, complete the following procedures to grant all cluster nodes permissions to on the following AD DS containers:
  • The AIA container
  • The Enrollment container
  • The KRA container
To grant permissions on public key containers in AD DS
  1. Open Active Directory Sites and Services. In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, then Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the computer account names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  6. In the console tree, click Enrollment Services.  In the details pane, right-click the name of the source CA, and then click Properties.

  7. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK. Type the computer account names of all cluster nodes, and click OK.

  8. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  9. In the console tree, click KRA.

image

10. In the details pane, right-click the name of the source CA, then click Properties. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

11. Type the names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

To check the DNS name for a clustered CA in AD DS
  1. Log on to the active cluster node as a member of the Enterprise Admins group.

  2. Open ADSI Edit. On the Action menu, click Connect to. click Configuration, and click OK.

  3. In the console tree, expand ConfigurationServicesPublic Key ServicesEnrollment Services.

  4. Double click on CN and check check dNSHostName mentioned same as Failover Cluster Management in the Failover Cluster Manager snap-in, and click OK. if not add proper FQDN DNS of cluster as shown on the screenshot. Click OK to save changes.

image

5. Open dnsmgmt.msc from the start menu>run. Verify a Host (A) DNS record has been added with the same name and IP address of the Cluster. 

Configuring CRL distribution points for failover clusters

When a CA is running on a failover cluster, the server’s short name must be replaced with the cluster’s short name in the CRL distribution point and authority information access locations. To publish the CRL in AD DS, the CRL distribution point container must be added manually.

The following procedures must be performed on the active cluster node.

To change the configured CRL distribution points
  1. Open registry edit and Locate the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration.

  2. Click the name of the CA. In the right pane, double-click CRLPublicationURLs.

image

3. In the second line, replace %2 with the service name specified in step 6 of the procedure “To configure AD CS as a cluster resource.”  The service name also appears in the Failover Cluster Management snap-in under Services and Applications. Restart the CA service.

4. Open a command prompt, type certutil -CRL, and press ENTER.

5. To create the CRL distribution point container in AD DS At a command prompt, type cd %windir%System32CertSrvCertEnroll, and press ENTER. The CRL file created by the certutil –CRL command should be located in this directory.

6. To publish the CRL in AD DS, type certutil -f -dspublish “CRLFile.crl” and press ENTER.

To setup Audit on CA. Open CA MMC>Select the Certificate Server>Right Click>Click Property

image

Check desired Events to audit>Click Ok. restart CA Services.

To deploy Enterprise root CRL using GPO. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click on trusted Root Certificates>Click Import>Locate root certificate and import the certificate. Click Close.

image

To request Automatic Certificate request. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click Automatic Certificate Request >Click New >Click Automatic certificate Request>Configure Certificate template and request. Follow the screenshot. Note that Auto Enroll must be allowed in the security tab of certificate template in CA.

image

Additional references

How to extend root certificate authority and subordinate CA

Configure Microsoft Fail over Cluster

Active Directory Certificate Services Overview

How did this blog perform in the year of 2011

This blog was viewed about 190,000 times in 2011.

1

The busiest day of the year was December 7th with 1,150 views. The most popular post that day was Install and Configure Lync Server 2010—Step by Step.

Some visitors came searching, mostly for tmg reverse proxy, lync server, tmg 2010 pdf, fax server windows 2008, and forefront site to site vpn configuration.

2

The top referring sites in 2011 were:

The most commented on post in 2011 was Microsoft Active Directory—Best Practice

The popular posts:

  1.  Install and Configure Lync Server 2010—Step by Step
  2.  Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step
  3.  How to configure reverse proxy using Forefront TMG 2010— step by step
  4.  Configure FAX server using Windows Server 2008 and Standard Fax Modem
  5.  Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

I look forward to serving you again in 2012! Happy New Year!

How to Extend Root CA and Sub CA Validation Period in Windows Server 2008 R2 Environment—Step by Step Guide

How Certificate Authority Check Validity:

image
Windows Server 2012 Step by Step

As a pre-caution backup CA, IIS and registry of certificate servers.

To Backup Certificate Authority

  1. Log on to the system as a Backup Operator or a Certification Authority Administrator.
  2. Open Certification Authority>click the name of the certification authority (CA).
    Certification Authority (Computer)/CA name
  3. On the Action menu, point to All Tasks, and click Backup CA.
  4. Click Next>Select Private and Certificate Database>Point Backup location>Click Next>Click Finish.

To restore certificate authority

  1. Log on to the system as a Backup Operator or a Certification Authority Administrator.
  2. Open Certification Authority>click the name of the certification authority (CA).
    Certification Authority (Computer)/CA name
  3. On the Action menu, point to All Tasks, and click Restore CA>Click Yes
  4. Click Next> Select Private and Certificate Database>Point Backed up CA DB location>Click Next>Click Finish.

How to Backup Windows Registry Key.. Follow these KB256986 and KB322756 article.

You can use the following command line to backup and restore IIS metabase. Backup should be used to back up the IIS Web content pages and the CA. Open Command Prompt as an administrator>Change Directory to %windir%system32inetsrv

To backup configuration, run the follow command:

appcmd.exe add backup “CABackupddmmyyyy”

To restore that backup, run this command:

appcmd.exe restore backup “CABackupddmmyyyy”

To extend validity period in Enterprise Root CA perform step1 to step4 on Enterprise Root CA Server

Step1: Open Command Prompt as an Administrator> type Following

certutil -getreg caValidityPeriod

certutil -getreg caValidityPeriodUnits

certutil –setreg caValidityPeriod Years

certutil -setreg caValidityPeriodUnits 10

Step2: Create a file using notepad.txt and rename the file as CAPolicy.inf .Copy the following into the file CAPolicy.inf and paste CAPolicy.inf file into C:Windows Folder

[Version]
Signature= “$Windows NT$”
[PolicyStatementExtension]
Policies = AllIssuancePolicy
Critical = FALSE
[AllIssuancePolicy]
OID = 2.5.29.32.0
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10

Step3: If you don’t want to renew Certificate Key then type the following command into command prompt

net stop certsvc
net start certsvc

If you want to renew key then skip step3 and follow step4

Step4:

1. To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

2. In the console tree, click the name of the certification authority (CA)> Select Certification Authority (Computer)/CA name

3. On the Action menu, point to All Tasks, and click Renew CA Certificate.

4. Do one of the following:

· If you want to generate a new public and private key pair for the certification authority’s certificate, click Yes.

· If you want to reuse the current public and private key pair for the certification authority’s certificate, click No.

5. Right Click Certification Authority (Computer)/CA name, Click Property> Click General Tab>Select Certificate #1>View Certificate>Check Expiry date as above mentioned CAPolicy.inf

To extend validity period in Enterprise subordinate CA Server perform step5 to step8 in SUB CA

Step5: Open Command Prompt in SUB CA and type the following and press enter

certutil -getreg caValidityPeriod

certutil -getreg caValidityPeriodUnits

certutil –setreg caValidityPeriod Years

certutil -setreg caValidityPeriodUnits 5

Step6: Create a file using notepad.txt and rename the file as CAPolicy.inf . Copy the following into the file CAPolicy.inf and paste CAPolicy.inf file into C:Windows Folder

[Version]
Signature= “$Windows NT$”
[PolicyStatementExtension]
Policies = AllIssuancePolicy
Critical = FALSE
[AllIssuancePolicy]
OID = 2.5.29.32.0
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5

Step7:

If you don’t want to renew Certificate Key then type the following command into command prompt

net stop certsvc
net start certsvc

If you want to renew key then skip step7 and follow step8

Step8:

1. To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

2. In the console tree, click the name of the certification authority (CA)> Select Certification Authority (Computer)/CA name

3. On the Action menu, point to All Tasks, and click Renew CA Certificate.

4. Do one of the following:

· If you want to generate a new public and private key pair for the certification authority’s certificate, click Yes.

· If you want to reuse the current public and private key pair for the certification authority’s certificate, click No.

5. If a parent CA is available online

· Click Send the request directly to a CA already on the network.

· In Computer Name, type the name of the computer on which the parent CA is installed.

· In Parent CA, click the name of the parent CA.

6. If a Root CA is Offline or not a member of domain

· Click Save the request to a file.

· In Request file, type the path and file name of the file that will store the request.

· Obtain this subordinate CA’s certificate from the root CA.

7. Open Certification Authority>click the name of the CA. Certification Authority (Computer)/CA name

8. On the Action menu, point to All Tasks, and then click Install CA Certificate.

9. Locate the certificate file received from the parent certification authority, click this file, and then click Open.

10. Right Click Certification Authority (Computer)/CA name, Click Property> Click General Tab>Select Certificate #1>View Certificate>Check Expiry date as above mentioned CAPolicy.inf

Post renewal checks:

Check all the event logs in Root CA and Sub CA for any potential error related to the changes you made

If you have any gotcha and you have to restore a CA, the IIS metabase must also be restored if it has been damaged or lost. If a damaged or missing IIS metabase is not restored, IIS will fail to start, and that will result in Certificate Services Web pages (http://caservername/certsrv) failing to load. An alternative method is to recreate the IIS metabase and then use the certutil.exe -vroot command at a command line to reconfigure the IIS server to support the CA Web pages.

All Websites and Computer certificates issued by sub CA and Root CA are valid as long CA’s are valid and issued certificates aren’t expired.

Issue new certificate CRL using GPO to all computers and servers as you have changed root CA. Export Root CA CRL using http://caservername/certsrv . Click Download a CA Certificate, Click Download CA Certificate and Save in a location. Create new GPO or edit an existing GPO

  1. Open the Group Policy object (GPO) that you want to edit.
  2. Go to Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities
  3. In the console tree, click Trusted Root Certification Authorities.
  4. On the Action menu, point to All Tasks, and then click Import and point to the location where you saved CA certificate.
  5. Apply this GPO to designated computer and server OU.

 

 

 

Relevant Article:

An Overview of Active Directory Certificate Service

Active Directory Best Practice