Windows Server 2008 R2 Active Directory Certificate Services Deep Dive

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN

Create a text file using notepad. copy the following content and paste inside the text file and save as request.inf.

;copy from here


Signature=”$Windows NT$

Subject = “” ; must be the FQDN of domain controller
EncipherOnly = FALSE ; only for Win2k3 & WinXP
Exportable = TRUE  ; TRUE = Private key is exportable
KeyLength = 2048    ; Common key sizes: 2048, 4096, 8192, 16384
KeySpec = 1             ; Key Exchange
KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC ; or PKCS10

; Omit entire section if CA is an enterprise CA
OID= ; Server Authentication

OID= ; Client Authentication


; If your client operating system is Win2k8,Win Vista, Win7

; SANs can be included in the Extensions section by using the following text format.

;Note is the OID for a SAN extension. = “{text}”

_continue_ = “”

_continue_ = “dn=CN=Exchange1,OU=My Servers,DC=microsoftguru,DC=com,DC=au&”

_continue_ = “url=”

_continue_ = “ipaddress=”

_continue_ =

_continue_ =

_continue_ = “guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&”    

;Alternatively you create a SAN attribute using a script provided in KB

; use text format or encrypted format of SAN.


; Multiple alternative names must be separated by an ampersand (&).

;In the example I have shown two different types of SAN. Use only one type of SAN.

;Asterisk * is used for Wildcard certificates.



CertificateTemplate = WebServer

; change template name depending on your environment.

; remove “;” from request.inf file. file ends here.

Important Note: Some third-party certification authorities (For examples ISPs who sell SSL certificate) may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject=”, CN=<FQDN of server>, OU= My Servers, O=Microsoftguru, L=Perth, S=WA, C=AU.” Amend Request.inf as per your need. For a standard certificate request you can omit SAN, [Extensions] and[EnhancedKeyUsageExtension] section.

Open a command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new c:request.inf c:certnew.req

At the command prompt, type the following command, and then press ENTER:

certreq -submit c:certnew.req c:certnew.cer

If there is more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you do not use the -config switch, you will be prompted to select the CA to which the request should be submitted.

certreq -submit -config “” c:certnew.req c:certnew.cer

Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:

certreq -retrieve RequestID c:certnew.cer

You can also use the -config switch here to retrieve the certificate request from a specific CA.

At the command prompt, type the following command, and then press ENTER:

certreq -accept c:certnew.cer

This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in previous step.

How to configure a CA to accept a SAN attribute from a certificate request

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

To repair a certificate
  1. If you are using a network HSM, complete steps 8 through 10 to repair the association between the imported CA certificate and the private key that is stored in the HSM.

  2. In the console tree, double-click Personal Certificates, and click the imported CA certificate.

  3. On the Action menu, click Open. Click the Details tab, copy the serial number to the Clipboard, and then click OK.

  4. Open a Command Prompt window, type certutil –repairstore My “{Serialnumber}” and then press ENTER.


How to enable secure certificate enrolment in certificate authority

Step1: Create request.inf file using WebServer template

Step2: Generate a web server certificate request.req file using certreq.exe tools

certreq -new c:request.inf c:request.req

Step3: Submit the request.req file using certreq.exe or CA Management Console. Save certificate.cer

Open CA MMC>Select CA server>Right click on CA Server>Click All Task>Submit a new request

Point the location c:request.req and submit. you will be prompted to save certificate.


Step4: Import the certificate into certificate authority

Start Microsoft Management Console (MMC). Add the Certificates snap-in that manages certificates on the local computer.

Expand Certificates (Local Computer), expand Personal, and then expand Certificates. Right Click Import certificate you saved in previous steps.

Step5: Open IIS Management Console>Select Default Web Site>Click Bindings from Action Pan>Click Add>Select HTTPS>Select the certificate you just imported in previous step. Click OK.




Step6: Run iisreset /restart from command prompt

Step7: Test https://MYCA/certsrv

How to use secure Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

  1. Open Internet Explorer. In Internet Explorer, connect to https://MYCA/certsrv.
  2. Click Request a Certificate.>Click Advanced certificate request.


  1. Click request a certificate
  2. In the Certificate Template list, click Web Server. Note The CA must be configured to issue Web Server certificates.
  3. Provide identifying information as required.
  4. In the Name box, type the fully qualified domain name FQDN of the server.
  5. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024 – 16384
    • Automatic key container name
    • Store certificate in the local computer certificate store

Under Advanced Options, set the request format to CMC. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:[&]


Multiple DNS names are separated by an ampersand (&). For example, if the name of the server is and the alias are and, these names must be included in the SAN attributes. The resulting attribute string appears as follows:



Click Submit. If you see the Certificate Issued Web page, click Install this Certificate.

My preferred way to request a certificate is to create a .req file shown in previous steps. open .req file in a notepad and copy the contents. click submit a certificate request by using base 64-encode


Paste the contents into base 64-encode. Select web server template. click submit.


Now obtain certificate click yes.


to download certificate with root CA CRL  click Download certificate chain in p7b format

to download only certificate click download certificate and save.


How to configure Private Key in Certificate Authority and Export Private Key

1. Open CA MMC from Administrative Tools>Right Click on Certificate Template>Click Manage


2. Select WebServer Template>Right Click on WebServer Template>Click Duplicate Template>Select Win2k3 or Win2k8 OS Version>Type Template Name as WebServer With Private Key in General Tab

3. Click Request Handling Tab>Check Allow private key to be exported


4. Click Security Tab> Allow appropriate security for the person who will enroll and export the certificates


5. Click Ok. Close CA MMC.

6. Create a WebServer Request.inf. Create Request.req file

7. Submit WebServer request to https://myca/certsrv . Download and install certificate.

To export a certificate with the private key

1.Open Certificate Manager by clicking the Start button>Search Box>Type certmgr.msc, and then pressing ENTER.‌

2. Go to Certificates-Current UserPersonalCertificates>Select Certificate you would like to export.

3. On the Action menu, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Yes, export the private key.

Note that this option will appear only if the private key is marked as exportable in request.inf file and you have access to the private key.

4. Under Export File Format, do one or all of the following, and then click Next.

  • To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box.
  • To delete the private key if the export is successful, select the Delete the private key if the export is successful check box.

5. In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.

6. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish.

How to import Private Key

  1. Click Start Menu>Search Box>Click mmc.msc>Click Certificates>Add Computer Account>Click OK.

  2. Click a folder, click the Action menu, point to All Tasks, and then click Import.


3. Browse to the location where you exported certificates>Select Certificate>Provide password to import the certificate.

4. Click Next, and then follow the instructions.

Playing with AD CS Administration Cmdlets in Windows PowerShell

The following Windows PowerShell® cmdlets that are for use in administering the Active Directory Certificate Services (AD CS) certification authority (CA) role service in Windows Server® “8” Beta.

  • Import-Module ServerManager – Imports the Server Manager module that provides the Add-WindowsFeature cmdlet.
  • Add-WindowsFeature Adcs-Cert-Authority – Adds the Certification Authority role service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Pol – Adds the Certificate Enrllment Policy Web Service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Svc – Adds the Certificate Enrollment Web Service binaries.
  • Add-WindowsFeature Adcs-Web-Enrollment – Adds the Certification Authority Web Enrollment role service binaries.
  • Add-WindowsFeature Adcs-Device-Enrollment – Adds the Network Device Enrollment Service binaries.
  • Add-WindowsFeature Adcs-Online-Cert – Adds the Online Responder role service binaries.
  • Get-Command -Module AdcsDeployment – Displays all the cmdlets that are associated with AD CS Deployment.

Disaster recovery or Migrate procedure of Active Directory Certificate Authority:

Moving a CA from one computer to a second computer involves the following procedures:

  • Backing up the CA on the first computer
  • Restoring the CA on the second computer

You must be a member of domain admins security group to perform the following operation. To move a CA from a server that is running Windows Server 2003 to a server that is running Windows Server 2008, you can either complete the Windows upgrade first and then move the CA or move the CA first and then upgrade Windows.

  • To upgrade Windows first: Upgrade the first server from Windows Server 2003 to Windows Server 2008, back up the CA on this server, and then restore the CA on a second server running Windows Server 2008.
  • To move the CA first: Back up the CA on a computer running Windows Server 2003, restore the CA on a second computer running Windows Server 2003, and then upgrade the second server to Windows Server 2008.

To back up a CA

  1. Open the Certification Authority snap-in.

  2. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.


3. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Specify the backup location, and then click Next.


4. Type a password for the CA private key backup file, and type it a second time to confirm the password. then click Finish


5. Click Start, click Run, type regedit, and then click OK. Locate and right-click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration



6. Click Export. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.

7. Backup the CA logs from the D:WinntSystem32Certlog folder, you must restore the backup to the D:WinntSystem32Certlog folder. After you restore the backup, you can move the CA database files to a different location.


8. In addition of above steps back up CAPolicy.inf . If your source CA is using a custom CAPolicy.inf file, you should copy the file to the same location as the source CA backup files. The CAPolicy.inf file is located in the %SystemRoot% directory, which is usually C:Windows.

To back up a CA database and private key by using Certutil.exe
  1. Log on with local administrative credentials to the CA computer.

  2. Open a Command Prompt window.

  3. Type Certutil.exe –backupdb <BackupDirectory> and press ENTER.

  4. Type Certutil.exe –backupkey <BackupDirectory> and press ENTER.

  5. Type a password at the prompt, and press ENTER. You must retain a copy of the password to access the key during CA installation on the destination server.

  6. Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service. The service must be stopped to prevent issuance of additional certificates.

  7. After the backup completes, verify the following files in the location you specified:

    • CAName.p12 containing the CA certificate and private key
    • Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb
  8. Copy all backup files to a location that is accessible from the destination server; for example, a network share or removable media.

How to remove the CA role service from the source server

It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.

The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.

Highly Recommended Tasks. Staging a certificate restore is most import part before you decommission existing certificate server. Create a isolated environment similar to your Active Directory Domain Services. Add new Certificate Authority and restore the database and private key. test certificates, templates, registry and private key whether it is similar to your Production infrastructure. Once you happy and restoration tasks complete successfully you can decommission certificate authority. if source certificate authority is virtual than I would recommend you to take a snapshot before you remove the CA role.

  • To remove the CA on a computer running Windows Server 2003, use the Add/Remove Windows Components wizard.
  • To remove the CA on a computer running Windows Server 2008, use the Remove Roles Wizard in Server Manager.

To restore a CA on a new server from a backup copy

  1. Open Server Manager, and click Active Directory Certificate Services. Click Next two times.

  2. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  3. On the Specify Setup Type page, click either Standalone or Enterprise, and then click Next.

    noteNote You must have a network connection to a domain controller in order to install an enterprise CA.

  4. On the Specify CA Type page, click the appropriate CA type, and then click Next.

  5. On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.

  6. On the Select Existing Certificate page, click Import, type the path of the .P12 file in the backup folder, type the password that you chose in the previous procedure to protect the backup file, and then click OK.

  7. In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.

  8. Click Next two times.

  9. On the Configure Certificate Database page, specify the same location for the certificate database and certificate database log as on the previous CA computer. Click Next.  On the Confirm Installation Options page, review all of the configuration settings> click Install and wait until the setup process has finished.

  10. Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly. Verify the registry in the following location. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc

11. Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.

12. Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open the Certification Authority Restore Wizard.


13 Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Type the backup folder location, and then click Next. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed. Click Finish, and then click Yes to restart AD CS when the CA database is restored.

To restore the CA database by using Certutil.exe
  1. Log on to the destination server by using an account that is a CA administrator.

  2. Open a Command Prompt window.

  3. Type certutil.exe -f -restoredb <CA Database Backup Directory> and press ENTER.

To Restoring the certificate templates list

Log on with administrative credentials to the destination CA.

  1. Open a command prompt window.

  2. Type certutil -setcatemplates +<templatelist> and press ENTER.

ImportantImportant ! Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.

Verify registry location and Configuration parameters are: 


  • DBDirectory
  • DBLogDirectory
  • DBSystemDirectory
  • DBTempDirectory
  • DBSessionCount



  • CACertPublicationURLs
  • CRLPublicationURLs



Granting permissions on AIA and CDP containers

If the name of the destination server is different from the source server, the destination server must be granted permissions on the source server’s CDP and AIA containers in AD DS to publish CRLs and CA certificates. Complete the following procedure in the case of a server name change.

To grant permissions on the AIA and CDP containers
  1. Open Active Directory Sites and Services> In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, expand Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply.

  6. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

  7. In the console tree, expand CDP, and then click the name of the source server.

  8. In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties.


4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

6. Repeat steps 13 through 18 for each cRLDistributionPoint item.

Additional procedures for failover clustering

  • CA Role must be installed on both nodes

  • Stop Active Directory Certificate Services from Services.msc

  • Ensure shared storage is online.

  • certificate store and logs must be placed in shared storage.

To verify shared storage is online

  1. Log on to the destination server. Start Server Manager.

  2. In the console tree, double-click Storage, and click Disk Management.

  3. Ensure that the shared storage is online and assigned to the node you are logged on to.

To configure AD CS as a cluster resource

Follow Configure Microsoft Fail over Cluster URL to create and configure a cluster.

  1. Open Failover Cluster Manager from Administrative Tools> Right Click on newly created cluster node>click Configure a service or Application. If the Before you begin page appears, click Next.

  2. In the list of services and applications, select Generic Service, and click Next.

  3. In the list of services, select Active Directory Certificate Services, and click Next.

  4. Specify a service name, and click Next. Select the disk storage that is still mounted to the node, and click Next.

  5. To configure a shared registry hive, click Add, type SYSTEMCurrentControlSetServicesCertSvc, and then click OK. Click Next twice.

  6. Click Finish to complete the failover configuration for AD CS.

  7. In the console tree, double-click Services and Applications, and select the newly created clustered service.

  8. In the details pane, click Generic Service. On the Action menu, click Properties.

  9. Change Resource Name to Certification Authority, and click OK.

If you use a hardware security module (HSM) for your CA, complete the following procedure.

To create a dependency between a CA and the network HSM service
  1. Open the Failover Cluster Management snap-in. In the console tree, click Services and Applications.

  2. In the details pane, select the previously created name of the clustered service.

  3. On the Action menu, click Add a resource, and then click Generic Service.

  4. In the list of available services displayed by the New Resource wizard, click the name of the service that was installed to connect to your network HSM. Click Next twice, and then click Finish.

  5. Under Services and Applications in the console tree, click the name of the clustered services.

  6. In the details pane, select the newly created Generic Service. On the Action menu, click Properties.

  7. On the General tab, change the service name if desired, and click OK. Verify that the service is online.

  8. In the details pane, select the service previously named Certification Authority. On the Action menu, click Properties.

  9. On the Dependencies tab, click Insert, select the network HSM service from the list, and click OK.

To grant permissions on public key containers: If you are migrating to a failover cluster, complete the following procedures to grant all cluster nodes permissions to on the following AD DS containers:
  • The AIA container
  • The Enrollment container
  • The KRA container
To grant permissions on public key containers in AD DS
  1. Open Active Directory Sites and Services. In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, then Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the computer account names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  6. In the console tree, click Enrollment Services.  In the details pane, right-click the name of the source CA, and then click Properties.

  7. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK. Type the computer account names of all cluster nodes, and click OK.

  8. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  9. In the console tree, click KRA.


10. In the details pane, right-click the name of the source CA, then click Properties. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

11. Type the names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

To check the DNS name for a clustered CA in AD DS
  1. Log on to the active cluster node as a member of the Enterprise Admins group.

  2. Open ADSI Edit. On the Action menu, click Connect to. click Configuration, and click OK.

  3. In the console tree, expand ConfigurationServicesPublic Key ServicesEnrollment Services.

  4. Double click on CN and check check dNSHostName mentioned same as Failover Cluster Management in the Failover Cluster Manager snap-in, and click OK. if not add proper FQDN DNS of cluster as shown on the screenshot. Click OK to save changes.


5. Open dnsmgmt.msc from the start menu>run. Verify a Host (A) DNS record has been added with the same name and IP address of the Cluster. 

Configuring CRL distribution points for failover clusters

When a CA is running on a failover cluster, the server’s short name must be replaced with the cluster’s short name in the CRL distribution point and authority information access locations. To publish the CRL in AD DS, the CRL distribution point container must be added manually.

The following procedures must be performed on the active cluster node.

To change the configured CRL distribution points
  1. Open registry edit and Locate the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration.

  2. Click the name of the CA. In the right pane, double-click CRLPublicationURLs.


3. In the second line, replace %2 with the service name specified in step 6 of the procedure “To configure AD CS as a cluster resource.”  The service name also appears in the Failover Cluster Management snap-in under Services and Applications. Restart the CA service.

4. Open a command prompt, type certutil -CRL, and press ENTER.

5. To create the CRL distribution point container in AD DS At a command prompt, type cd %windir%System32CertSrvCertEnroll, and press ENTER. The CRL file created by the certutil –CRL command should be located in this directory.

6. To publish the CRL in AD DS, type certutil -f -dspublish “CRLFile.crl” and press ENTER.

To setup Audit on CA. Open CA MMC>Select the Certificate Server>Right Click>Click Property


Check desired Events to audit>Click Ok. restart CA Services.

To deploy Enterprise root CRL using GPO. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click on trusted Root Certificates>Click Import>Locate root certificate and import the certificate. Click Close.


To request Automatic Certificate request. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click Automatic Certificate Request >Click New >Click Automatic certificate Request>Configure Certificate template and request. Follow the screenshot. Note that Auto Enroll must be allowed in the security tab of certificate template in CA.


Additional references

How to extend root certificate authority and subordinate CA

Configure Microsoft Fail over Cluster

Active Directory Certificate Services Overview

System Center Virtual Machine Manager 2012 Beta First Look

Systems Requirement:

  • Windows Server 2008 R2 x64 domain member
  • Windows Remote Management (WinRM) 2.0
  • Windows PowerShell 2.0
  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)
  • Windows AIK for Windows 7
  • SQL Server 2008 or SQL Server 2008 R2
  • WDS and WSUS roles installed 

Installation of System Center Virtual Machine Manager 2012:

















System Center Virtual Machine Manager 2012 Beta – Evaluation (VHD)

SCVMM 2012 Beta Download

Remove initial configuration wizard on Windows Server 2008 using GPO

Open GPO management console using administrative privilege. Create and link a GPO with Enterprise Server OU. Right Click on Enterprise Server OU> Click on Property


Expand and locate Server Manager section in the following section of GPO. Expand Computer Configuration>Expand Policies>Expand Administrative Templates>Expand Systems>Select Server Manager.



Enable both the options as shown on screenshots.


Close the window. Run gpupdate on servers to apply GPO or wait for GPO to refresh at configured GP refresh time.

Configure Microsoft Fail over Cluster for DHCP services—step by step

Microsoft Cluster Requirements:  Servers, NIC and Storage must validate Microsoft cluster requirements to configure MSCS using two or more independent computers . The objectives to create a cluster is to avoid a single point of failure that is to create a high availability for services or application. Before you configure a cluster you must keep in mind that your design must meet this primary conditions.

To achieve redundancy, you can connect your cluster nodes with networks that is constructed with teamed network adapters, redundant switches, redundant routers that removes single points of failure.

Serial Attached SCSI or Fibre Channel must be identical and use same firmware version. For iSCSI storage, you must use dedicated HBA or gigabit network adapters for storage purpose. This adapter can not be used for network communication. To use the native disk support included in failover clustering, use basic disks, not dynamic disks. Microsoft recommend that you use NTFS for quorum disk and shared storage. you can use either master boot record (MBR) or GUID partition table (GPT). A LUN used for one set of cluster servers should be isolated from all other servers through LUN masking or zoning. In a highly available storage fabric, you can deploy failover clusters with multiple host bus adapters by using multipath I/O software or Microsoft Multipath I/O (MPIO). At least two HBA of server connecting two different fabric switches.
Windows Server 2012 Step by Step

You can configure Microsoft Cluster using all version of Windows Server 2008 Enterprise and data center. You must configure both node using same architecture, OS, patches and hotfixes. For example, if one node is x64 than all other node must be x64 in a single cluster. To achieve MSCS, you must have functional AD DS, Active Directory Domain Controller, Administrative roles to manage MSCS.

Unsupported configuration:

  • NIC Teaming other than use of manufacturer teaming software
  • IP addresses assigned from a Dynamic Host Configuration Protocol (DHCP) server for the cluster administration address (which is associated with the cluster name) or any IP address resources.
  • NIC non-multiported
  • For iSCSI, you cannot use teamed network adapters, because they are not supported with iSCSI
  • Windows Server 2008 standard
  • MSCS can not be formed in between two nodes that are members of two different Active Directory forest.

Configure Network: MSCS requires minimum two network adapters in each node of the cluster to be certified for the HCL. One for heartbeat network and another for public network or simply data transmission for internal network. All network cards on the public network need to be on the same logical network (same subnet) regardless of their physical location. It is recommended that you put the private network adapter from Class A, Class B or Class C IP rages.


Microsoft does not recommend that you use network teaming on a cluster. However, if you do use manufacturer-specific network adapter teaming software (dell advanced network management suite) it must be seamless to the cluster and must reside only on the public network. NIC is connected with a separate crossover cable (or to a switch in same vlan).

Sample IP configuration of Internal NIC:

IP Address  DG:  DNS:

Sample IP configuration of Heartbeat:

IP Address DG: Null DNS: Null

Open Failover Cluster Management Console>Click on Networks>Right Click on Heartbeat Network>Click Property>Click on “Do not allow the cluster to use this network”>Click on Apply and OK. Note that this NIC is dedicated for heartbeat network. Client should be using another network.


Configure Shared Storage:  I used freenas as iSCSI target. To use Freenas as iSCSI target, download Freenas iSCSI target VMware vmdk file from sourceforge or

Add target disks for quorum and shared storage.


Start Freenas VM. From Console setup, setup LAN IP and WebGui Password. Open IE in Windows 7 and browse freenas ip. Make sure script and active x allowed in IE. Click Services>iSCSI target>Click on portal>Add IP address as your LAN IP address you setup in LAN IP.


Click Settings>Enable iSCSI target. Do not change default settings. Click Target>Click Add Extend to mount disk. Once finish, add target and assign to this disk you added in previous steps. add many disk and target you want from this window. Apply changes.



Log on to Cluster server, Administrative Tools>Click iSCSI initiator>Click on Discovery Tab>Click on Add portal. Type the ip address of the iSCSI target, leave rest of settings default and add target portal.


Click Targets tab>Click on refresh. you will be presented with target disk. Select target disk, click log on. Check Automatically restore this connection when computer start, click ok.






Start Menu>run>type diskmgmt.msc and click ok>See the disk visible to Cluster server. Configure the disk as basic and NTFS file systems.


Note that for this article, I am using software initiator as I don’t have a HBA in my test infrastructure. So don’t ask why use MS iSCSI initiators. you can use other means of connecting storage with your server. you are free to do so as long as it support Microsoft HAL.

Install Fail Over Cluster Feature: In the Server Manager, Click Add Features Wizard, click Failover Clustering, and then click Install. Follow Installation Wizard.


Configure Cluster: To open the failover cluster snap-in, click Start, click Administrative Tools, and then click Failover Cluster Management. Right Click Failover Cluster Management> click Create a cluster. Add servers that involve in this Cluster, Type IP address, Type name of the cluster, Add shared storage. Follow wizard and finish creation of cluster.












Check Clustered Disk:

Open fail over Cluster management, Click Storage and view available storage. You may level your quorum disk as “quorum” and “Q” as drive letter to quickly identify quorum disk.


Configure Quorum Disk:

The quorum algorithm is a mathematical method for determining if a majority of Cluster members exist so resources can be shared across an Cluster system. Quorum is the number of votes that must be present for the cluster to function. A cluster system can designate a disk as quorum disk. The quorum disk acts as a virtual cluster member whose purpose is to add one vote to the total cluster votes. For example, if you have a thirteen nodes cluster and your seventh node fails then cluster will be inoperative. By establishing a quorum disk, you can increase the availability of a two-node cluster; such configurations can maintain quorum in the event of failure of either the quorum disk or one node, and continue operating. There are four quorum modes, they are Node Majority, Node and Disk Majority, Node and File Share Majority, No Majority: Disk Only.

Right click on Storage>Click add disk>Select Cluster disk>Click ok. You can create 2GB quorum disk for your cluster. Don’t worry about this screen shot. This is just for this article.



Right click on Fail over cluster management>Click on validate cluster>Select on disk validation and perform validation. You will see you passed validation.


Right-click on FQDN of Failover Cluster, click More Actions, and then click Configure Cluster Quorum Settings. MSCS will recommend cluster mode for your settings, select recommended. Click Next.



Select Witness storage disk and click next. Click finish and see the report.




Configure Services or Application: Once you finish, configuring MSCS, now you are ready to create service or application in this cluster. For this article, I am going to create DHCP Cluster. Please note that, to create a clustered services or server role you must have specific server role installed in both node of cluster.

Right click on services and application>Click Configure a service or application> Select DHCP Server>Click Next>Type Clustered DHCP IP address>Select Shared Storage, Follow wizard and Finish.








Now right on testDHCP>Click Manage.


Now you add DHCP scope, superscope. Note that your ip helper address in Cisco L3 switch or core switch will be the virtual cluster IP of DHCP cluster.


Command Line: Open Elevated Command prompt. Type Cluster /help to see all cluster commands. Type Net Start CLUSSVC /FQ  and press enter to start cluster quorum. Type CLUSTER [cluster-name] NODE node-name /STATUS and press enter to see the status of cluster node. To seek more help about cluster node type following and press enter CLUSTER GROUP /? and CLUSTER NODE /?

Relevant Study:

Download TechNet Resources

HAL Requirements

Microsoft Cluster on VMware vSphere


An Overview of Active Directory Certificate Services (AD CS)

Certificate services provide public key infrastructure (PKI) for organization. There are lot of benefits to have a PKI infrastructure in Active Directory infrastructure. One of the biggest advantage of deploying certificate is to identify requestor requesting information a server. This can be a web server, exchange web mail or an windows client requesting authentication from an active directory. The server holding the role of approving certificate and delivering certificate called certificate authority in short CA. Microsoft CA provides heaps of options for diverse customer to deploy certificate from security point of view, organizational structure and  also geographical location. That is certificate can be deployed in hierarchical manner. Top of Certificate hierarchy is called Enterprise root CA. There can be more than one subordinate CA depending your need. Certificate Authority can be standalone or Enterprise CA. Standalone offline Root CA can be used to provide PKI infrastructure for internal users. Standalone root CA is put offline to provide an extra layer of security to authentication. A subordinate CA placed under standalone root can work as usual. In this case, your root CA aren’t compromised. when you request a certificate from subordinate CA, you have to approve this request manually. Again this type of deployment provide extra layer of security  as you can see who’s requesting for a certificate. 

Installation of Root CA:

To install an Enterprise Root CA, build a windows server 2008 and join domain. Log on as domain admin. Add and install Web server (IIS) role in that server as pre-requisite. Once finish, add active directory certificate services role. Select Enterprise root CA while installing CA. More detailed installation guides are in these screen shots.

To install a standalone root CA, follow the similar steps with just one exception that standalone CA isn’t part of Active Directory domain. You have manually import certificate request to standalone CA server which I will explain later part of this article.

Segregating CA Management Role:

To secure CA management and delegating management authority, you can segregate roles in certificate authority. There five roles available to manage CA. They are CA Administrator, CA Manager, CA Auditor, Backup operator and enrollees. To assign these roles, you need to log on CA as an administrator and open CA Management Console. Right mouse click on CA server name>Click on property. Go to security Tab and add specific groups to this windows and assign desired roles. The following screen shots are illustrate these options.



https or secure Certificate Enrollment using :

before you can enroll certificate, install an SSL certificate for CA itself and provide an FQDN for users and computer to request certificates.

Open IIS management console in CA authority Server. Click on CA server>Click on Create a Domain certificate on right hand side Action pan. 





Click Finish to complete request.

Click on Sites>click Bindings


Click Add>Select SSL>Select IP & Port 443


Select Certificate you just created.

Now Create a CNAME in DNS server such as

Open IE browser to test SSL certificate request.


Managing Templates:

There are default certificate templates in CA. The templates are stored in Active Directory for use by every CA in the forest. When deploying certificates duplicate a template (by right click on certificate template>Manage) similar to your purpose, name the template, setup certificate period, publish in Active Directory, setup security on the security tab. Now right click on certificate template>Click New>Click on Certificate Template to Issue. You must select appropriate group in the security tab of certificate property to safeguard this certificate from different group of users. 

Installation of Subordinate CA:

Prepare a Windows Server 2008. Depending on your deployment topology, Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services. Click Next two times. Now select following in the next steps.

Setup Type: Standalone or Enterprise

CA Type: Subordinate

Private key: Create a New Private Key


On the Request a certificate step, you have have two options. If your Enterprise root CA is part of domain, you can request a subordinate CA automatically or manually. However if your enterprise root CA is standalone or subordinate CA is standalone then you have generate a request for certificate and submit this request to root CA. In this article, I am requesting certificate manually because you can perform automated request.


Click Next and Finish installation.


Open Requested Certificate and copy entire content in the notepad. Open IE browser and browse Root CA cert enroll page such as


Click on Request a certificate, Click on Advanced certificate request.


Click on submit a certificate request..


Paste the certificate request on Base 64 encoded box and select subordinate CA. Click submit.


Now download requested certificate and save it on subordinate CA.



Log on to subordinate CA and open CA management console>Click All Tasks>Click Start CA. You will be prompted to import subordinate certificate from root CA. Browse the location of certificate you exported/saved in previous steps and select certificate. Your subordinate CA will start now.


Start Menu>run>Services.msc>Check Active Directory Certificate Services set to automatic. Now Manage and secure CA as mentioned in this article.

If your root CA is standalone than you can take your root CA offline now. Open Event Viewer by simply, typing eventvwr.exe on Start menu>run. Check AD CS is functioning properly.


To setup auditing in AD CS, right click on AD CS server>property>Auditing Tab>Select preferred Auditing for CA Server.


To restrict an enrollment agent in CA, Open CA Console>Right Click on subordinate CA Server>Property>Click on Enrollment Agent Tab Click on restrict Enrollment Agent. here you can add groups or users that are allowed to request certificate on behalf of another client and remove everyone. similarly you can disallow everybody to request an agent enrollment. Note that Enrollment agent can only request certificate but can not approve or revoke certificate.


To setup pending request in CA, log on to CA and open CA console. Right mouse click on CA server>Click property>Click Policy Module>Click Properties>Click Set certificate request status to pending.



Restart AD CS services.

Requesting Certificate from standalone CA:

Create a text file and rename this file such as newrequest.inf and copy and paste inside the file following contents


Signature=”$Windows NT$
Subject = “CN=<DC fqdn>” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID= ; this is for Server Authentication





Subject=”CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>”










Here, CN= FQDN of server where requested certificate will be installed.

Now type following command, and then press ENTER:

CertReq –New –f  NewRequest.inf NewCert.req

To submit new request type the following command, and then press ENTER:

certreq -submit -config “FQDN of the YourCAYour CA Name” certnew.req certnew.cer

Now approve the certificate from CA management console and retrieve certificate using following command

certreq -retrieve RequestID certnew.cer

type the following command to accept certificate, and then press ENTER:

certreq -accept newcert.cer

Removing Certificate Authority: Log on to the system as the user who installed the certification authority. Server Manager>Roles>Remove Roles>Select AD CS and Remove CA. Restart Decommissioned CA Server. To Remove remaining information about this CA from Active Directory, type following from elevated command prompt

certutil.exe -dsdel CAName and press ENTER

Dealing with Event ID 100, 7024, 48 :

Issue new certificate revocation list by issuing certutil.exe –crl command from elivated command prompt.

Type certutil.exe -setreg CALogLevel 2  and press enter to change log level registry.

Disable revocation list checkup type following from command prompt and press enter.


Blogging year 2010—-what stats says

Sharing stats of my blog with my visitors. I started this free wordpress before founding

Team + Stats Helper Monkeys
January 2nd, 2011, 03:35pm

Here’s a high level summary of my overall blog health:



“We think you did great!” comments by WordPress

Crunchy numbers

Featured image


This blog ( was viewed about 200,000 times in 2010.

The most popular post that day was Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step.

Where did they come from?

The top referring sites in 2010 were,,,, and

Some visitors came searching, mostly for exchange 2010 edge, network policy server radius, exchange 2010 edge transport, installing tmg 2010, and exchange 2010 edge subscription.

Attractions in 2010

These are the posts and pages that got the most views in 2010. You can see all of the year’s most-viewed posts and pages in your Site Stats

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step March 2010

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide November 2009

Install and configure WSUS 3.0 SP2 – Step-By-Step August 2009

Step by Step Guide on Exchange Server 2010 Edge Transport Role November 2009

Transitioning from Exchange Server 2003 to Exchange Server 2010—-Step by Step October 2009

Comments from WordPress: “Some of your most popular posts were written before 2010. Your writing has staying power! Consider writing about those topics again”.

See you in 2011!