Server 2008: Install Active Directory Certificate Services

For a short recap, AD CS is the backbone of Microsoft’s Public Key Infrastructure (PKI) implementation. It will allow you to issue certificates for SSL/TTL user on websites or digitally sign your email.

Now let’s take a look at installing Active Directory Certificate Services.

Certain versions of Server 2008 only allow certain AD CS components to be installed; please take a look at this table for reference:

• CA – issues certificates to users, computers and services while also managing their validity; comes in root and subordinate
• Network Device Enrollment Service – allows network devices (i.e. routers) to request and receive certificates based on Simple Certificate Enrollment Protocol (SCEP)
• Online Responder Service – implements Online Certificate Status Protocol (OCSP) by evaluating certificate status, decoding revocation status requests, and sending back signed responses containing certificate status information

Install Enterprise Certificate Authority on a Windows 2008 Server

As I outlined in my earlier article, there are two varieties of root CA’s: the Enterprise and Stand-Alone. Each has their advantages and configuration, but in this case we are going to install an Enterprise CA.

I am going to be installing this root CA server in my test Active directory domain named ADExample.com on a Windows Server 2008 Enterprise version.

The server is a member of the domain, and is a domain controller. Let’s get started.

1. Open Server Manager.

2. Select Roles, then click Add Roles in the center pane.

3. The Before You Begin page may show up if you haven’t turned it off already. If you see it just click Next.

4. In the Select Server Roles window go ahead and select Active Directory Certificate Services by placing a checkmark next to it, then go ahead and click Next.

5. Now you will see an Introduction to Active Directory Certificate Services, where you can read about the good things you can do with AD CS.

The biggest thing to note here is the following:

Name & Domain settings of this computer cannot be changed after a CA has been installed. If you want to change the computer name, join a domain, or promote this server to a domain controller do so BEFORE install thing the CA.

Now with that warning out of the way, go ahead and click on Next.

6. Next you get to Select Role Services, which can include any of the following depending on what version of Windows Server 2008 you are installing this on — refer to the table above for specifics.

For this install I am going to choose the Certification Authority only.

7. Now comes the Specify Setup Type, and for this I am going to select the Enterprise radio button.

8. For the Specify CA Type, I am going to choose the Root CA radio button and then click Next.

9. In Set Up Private Key, I am going to choose Create a new private key radio button and then select Next.

10. Now you have to Configure Cryptography for CA in this window and there are quite a few to choose from.

Now I am no expert on cryptography, but some basic rules do apply … the longer the key the harder it is to crack. For our purposes I am going to use the following settings:

RSA#Microsoft Software Key Storage Provider
4096 Key Character length
md5 Hash algorithm

Now I am going to click Next.

11. In Configure CA Name you can choose to overwrite the default common name for this CA and also the Distinguished name suffix if you so choose.

I am going to overwrite the default common name with Test-Enterprise-CA, but I will leave the rest alone.

12. Next we will Set Validity Period for this CAs certificate.

Remember a root CA issues itself a certificate. The default is 5 Years so I will just leave it at that. You can change this based on any need you might have in your environment. Click Next.

13. Configure Certificate Database will let you specify where you want to put the database and log files for the CA.

I am going to leave the default in place. Click Next.

14. On the Confirm Installation Selections you can see the answers you have chosen and you will again see a warning that you cannot change the computer name or domain settings for this server after installing the CA.

Go ahead and click Install… you know you want to!

15. After a few minutes you will see the Installation Results, and with any luck you will have the message: Installation succeeded.

After your glow of certificate happiness fades go ahead and click Close.

16. Now let’s go in and take a look by clicking on Certification Authority in Administrative Tools (if you get a UAC pop up just click Ok).

17. Now you can see the snap-in is showing the CA named Test-Enterprise-CA in the left pane with a bunch of folders for certificates.

18. You can also see that if you click the Certificate Templates folder, there are quite a few default templates that are already setup and ready to go.

Summary

Now that we have installed the Active Directory Certificate Services the next step would be to request some certificates and configure them.

The installation for a stand-alone CA is very similar to this. In fact if you are not in a domain and if you are not installing as a domain admin you will not even get the option for an Enterprise CA setup, so if you see that grayed out you now know why.

In my next article we will take a look at some of the uses for certificates and how to request and install them on servers and clients.

Server 2008 Active Directory: Adding a Child Domain

It’s always a good thing when your company expands, right? More money for the company could mean more money for you!

Unfortunately this is not always the case as expanding will usually mean more work for you.

But in case the company you work for opens up another office in a different city, state, or country, in order to keep your network manageable it’s best to put the new office into its own child domain — a.k.a sub domain.

Why Add a Child Domain?

There are several good reasons for splitting the new office into its own child domain, here are 3 of them:

• Less Network Traffic between your main office and the new one – that means your company will spend less money on the direct connection between the two offices and you will never experience a network delay.
• You will be able to delegate control of the new network to another administrator who actually lives in the location of the new office. If your offices are close and you are about 20 minutes away to any one of them, then I guess that’s no big deal. But if your main office is located in New York and the new office is going to be in … oh, let’s say Paris, how the heck are you going to get there in case of an emergency? See my point?
• Having the child domain will allow you to keep track what is going on in a specific office.

These are only the main good reasons for creating a child domain. Once you start working in an environment with sub domains you will realize there are a lot more good reasons for splitting the two locations in your Active Directory.

Before you begin …

1. In order to create a child domain on your network, you will need another server, or rather a Domain Controller.

You can build that DC in your main office and then ship it out to the new office. This DC will also be a Global Catalog as well as DNS Server to assist all the clients in the new office with any DNS requests, etc.

2. You also need to prepare your current network for the new sub domain. So before you begin with the new DC configuration you need to do the following:

• Create a new site in your Active Directory that will represent the physical structure of your network. In my example our main office is in New York and the new one is in Chicago. Based on that info, you would create a new site for the Chicago office.
• In addition to the new site you will also need to create a new subnet for your new location. It will allow you to track all of your machines by location. This new subnet should be assigned to your new location.

Once you prepare your network as mentioned above, we are now ready to create a new Domain Controller.

Creating a New Domain Controller

Once you have prepared your network for you child domain and have created the site and sub domain, it’s time to install the new DC on our new site.

As you can see our main office is in New York and we have 3 DCs already configured in the New York Site (see the screenshot below).

Our new site called Chicago doesn’t have any DCs configured yet –- this is where we are going to configure our new DC.

1. After you have installed Windows Server 2008 on your new machine and completed all the Initial Configuration Tasks, open up Server Manager and click on the Roles section.

2. We will need to install the Active Directory Domain Services (ADDS) Role first. So go ahead and check the box next to it and click Next.

3. In this window you will see some additional information about ADDS. Once ready, click on Next.

4. As always you are being informed that once the installation is completed the server will restart and you will need to use the ADDS Installation Wizard to make the server a fully functional Domain Controller.

Go ahead and click on the Install button.

5. The installation will now run for a few minutes.

6. Now it’s time to click on the link and run dcpromo.exe.

7. Go ahead and click Next on the welcome screen.

8. And Next again (for more detailed information on this step you can check out this post on Installing Active Directory Domain Services on Server 2008).

9. Since this is going to be your child domain, make sure you select the Existing forest option and then select Create a new domain in an existing forest.

When ready, click on the Next button.

10. Type in your domain name with the correct internet suffix. In my example I’m are using our globomantics.com domain.

Since this domain already exists and you are logged in to this machine only as a local administrator you will also need to enter alternate credentials of a domain administrator in order to proceed.

So go ahead and click on the Set button.

11. Enter the domain administrator’s name and password, then hit OK.

12. When ready, click on Next.

13. In this step you will need to enter the Fully Qualified Domain Name (FQDN) of your child domain in two steps.

The first is the FQDN of your parent domain. In our example it is going to be globomantics.com.

Next you need to enter the single-label DNS name of your child domain — that means anything that is before the globomantics.com.

In my example I entered na for na.globomantics.com — as seen on the bottom.

That will be our FQDN for the new child domain. Once ready, click on the Next button.

14. Now it’s time to select a site for this DC.

Now you see why we needed to create the new site before we started this installation. Select the correct site and click Next.

15. As mentioned earlier we are going to make this DC be our DNS server as well as Global catalog for our new site.

Make sure both check-marks are checked and then click on the Next button.

16. I would recommend leaving the default locations for these databases unless you have a really good reason not to. Click Next.

17. In this windows you will need to setup the Directory Services Restore Mode Administrative Password for restore purposes.

Go ahead and type that in and then click on the Next button.

18. On this summary window double check your selections and when ready click Next.

19. You can check the box Reboot on completion and let the installation complete.

Congratulations! Your Child Domain has been created!

End..

Server 2008 Active Directory User Groups — Easy Way!

User Groups and Organizational Units are two great ways of keeping your Active Directory organized and controlled.

Why would we want to do that? Well, let’s say for example that we have this one shared folder on our network that we want only our Sales Department to have access to.

Without groups in your Active Directory, you would have to go to each individual Sales Department user account and give that account access to that shared folder. That can take quite some time if you have, let’s say … 200 users in your Sales Department.

Instead, what we are going to do is, take all the Sales Department user accounts and put them in a Sales User Group. Now when I want to give access to all of my Sales Users to that shared folder, I just give the entire Sales Group access to it and voila! All Sales Users now have access to our shared folder!

That’s just so much easier, isn’t it? You can then take the Sales User Group and put it in a Sales Organizational Unit.

Organizational Unit is really just a folder for organizational purpose, to keep your Active Directory nice and clean. You can add different groups, computers and other resources to an Organizational Unit.

Enough talk, let me show you how you can accomplish all of this in your Windows Server 2008 Active Directory.

Creating an Organizational Unit

1. Start by opening up your Server Manager, then expand the Roles section.

2. Next expand the Active Directory Domain Services section and click on Active Directory Users and Computers.

3. At this point you should be able to see your domain. In our example we are using the Globomantics domain. Go ahead and expand your domain.

4. Now we need to create an Organizational Unit for a group to live in. In our example we are going to create an OU for our Ops Team.

To create a new Organization Unit, right-click on your domain name, point to the New option and then select Organizational Unit.

5. Type in the name of your OU and make sure that the box is checked next to Protect container from accidental deletion. When done, click OK.

6. We now have a new Organizational Unit in our Active Directory called OpsOU.

Creating a New Group

1. After you create an Organizational Unit in your Active Directory, you are ready to create your first group. Go ahead and select your OU and then right-click in the blank area.

2. Next, point to New and then select Group.

3. The next step is to name your Group, select the scope and then select the type.

In this example we are going to name our group OpsUSers. We are also going to leave the default selections for group scope, which is Global, and group type, which is Security. When you are ready, click OK.

4. Our new group has been created!

Moving Accounts Into a Group

1. In order to move pre-existing accounts into a group, you need to hold down the Control key and click on all the User or Computer accounts that you want to move into that group.

2. Then you need to right-click on any one of those accounts and select Add to a group.

3. Next, you need to type in the group name and let the machine find it.

In our example, I will type in OpsUsers and then click on the Check names button. Once the name is verified and group name is found, the text will become underlined and you can click the OK button. Since we know our group exists, we are going to click OK without verification.

4. Now all of these accounts are part of our OpsUsers group.

Note: Another way of accomplishing this would be to click on an account, hold it, then drag and drop it into a particular group. Depending on how much you like to use your mouse and how much time you have this may or may not be your preferred way of accomplishing this task.