Understanding and Installing Active Directory Certificate Services (part 2) - Installing AD CS

9/27/2013 7:42:29 PM

2. New AD CS Features in Windows Server 2008 R2

As with other AD technologies in Windows Server 2008 R2, AD CS has been updated to include additional features. Three new features are available:

  • Certificate Enrollment and Certificate Enrollment Policy Web Services

  • Certificate enrollment across forests

  • Better support for high-volume CAs

Each of these features is focused on either better administration of your AD CS deployment or better support for large AD CS deployments.

New AD CS Web Services

The new Web Services for AD CS feature provides support for certificate enrollment over the Hypertext Transfer Protocol (HTTP). The Web Service acts as a proxy between the client and the Certificate Authority. This makes direct communication between the two unnecessary and facilitates certificate enrollment over the Internet as well as across AD DS forests. Mobile workers, business partners, and remote users can now enroll for certificates directly over the Internet, making it simpler to support them. Large organizations or organizations that must interact across AD DS forest boundaries can also enjoy a simpler enrollment process through these Web Services.



For the Certificate Enrollment Web Service to submit and support requests for new certificates on behalf of clients, it must be trusted for delegation. When you deploy the Web Service in an extranet, it may increase the threat of a network attack. To protect your network, configure the Web Service and the issuing CA to accept only renewal requests signed with existing certificates. This provides a more secure deployment because it no longer requires delegation. However, this configuration does not support clients without existing certificates.

To work with the new AD CS Web Services, your network configuration must meet the following requirements:

  • The forest functional level must be Windows Server 2008 R2.

  • Your enterprise CA must be running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.

  • Client computers must run Windows 7.

  • To support cross-forest enrollment, the enterprise CAs in each forest must run either the Enterprise or Datacenter edition of Windows Server.

Rely on this feature if you need either cross-forest enrollment or enrollment over the Internet.

Enrollment across Forests

As mentioned earlier, cross-forest enrollment is provided by the new AD CS Web Services. However, for cross-forest enrollment to work, the forests must also include a two-way trust relationship and the forest functional level must be at least Windows Server 2003. If your organization must rely on multiple forests, and you have PKI deployments within each forest, you can rely on this feature to facilitate enrollments across your forests. Note that CAs can now issue certificates across forests with a forest functional level of Windows Server 2003, but for enrollment to work you need a forest functional level of Windows Server 2008 R2. Client computers do not need an update to work with this feature.

However, you can simplify your CA deployments by removing CAs from other forests and centralizing the issuing CA in one single forest. This provides support for certificate use in multiple forests while running only one AD CS deployment.

High-Volume CAs

Some organizations, such as those that have deployed the Windows Server Network Access Protection (NAP) feature, may require higher volume certificate management than others. When you use a technology such as NAP, your CAs issue a vast number of health certificates. These are used each time a client tries to connect to your network. NAP health certificates are very short-lived and usually last only a matter of hours before they expire. Because of this, a CA might issue several different certificates per computer each day. This high volume of certificates can slow down the CA and have an impact on performance overall.

With Windows Server 2008 R2, organizations can choose to bypass certain CA database operations to improve CA performance in these scenarios. By default, CAs store both a record of each certificate request and the issued certificate in the CA database. This means that the CA database can become quite bulky in large NAP deployments. By bypassing the storage of certificates in the database—in fact, not storing either the request records or the issued certificates in the CA database—you can improve the CA’s performance and reduce CA operational costs. This feature is called non-persistent certificate processing.

3. Installing AD CS

Installing AD CS is a much more involved process than installing Active Directory Lightweight Directory Services (AD LDS). This is because of the choice between stand-alone and enterprise CAs and the subsequent choices that ensue from this original decision.

In most cases, you will install at least a two-tiered structure, installing first a stand-alone CA, then an enterprise CA. In larger organizations, you will deploy several tiers and install several servers in each tier except the root.

Servers hosting the AD CS role should be configured with the following capabilities, whether they are physical or virtual:

  • Multiple processors, because this accelerates the certificate allocation process.

  • Minimal amounts of RAM, because RAM has little effect on certificate processing. VMs need no more than 512 MB of RAM.

  • Separate disks for the certificate store. Ideally, you should have at least one data disk and store the database on it. Issuing servers for large communities should also have a separate disk for log files.

  • Key lengths kept to medium sizes, to obtain the best performance from the server. Key lengths have an impact on CPU and disk usage. Short keys require more disk overhead. Long keys require more CPU usage and less disk activity.

  • If using physical systems, a redundant array of inexpensive disks (RAID) level that is balanced between reliability and improved performance.



The AD CS role can now be installed on Server Core in Windows Server 2008 R2. The installation is provided by a Visual Basic script and installs all of the required components to run a CA. This means that if you install CAs in perimeter networks, you should consider installing it on a Server Core installation to keep it more secure.

Different editions of Windows Server 2008 R2 offer different features in support of AD CS. Table 3 outlines the supported features based on the selected edition.

Table 3. AD CS Features per Windows Server 2008 R2 Edition






Stand-alone certificate authority

Enterprise certificate authority

Network Device Enrollment Service (NDES)

Online responder service

Key archival

Role Separation

Certificate Manager restrictions

Delegated enrollment agent restrictions

Preparing for AD CS Installation

You must prepare your environment before installing AD CS. The prerequisites for a typical AD CS installation include the following:

  • An AD DS forest with at least a forest root domain. Preferably, you also have a child production domain.

  • Computers to run the certificate authorities used in your hierarchy. In the simplest typical deployment, this means at least two computers: one for the root CA and one for the issuing CA. The issuing CA can also host the online responder service and NDES. The issuing CA requires the installation of IIS, but the AD CS installation process automatically adds this feature during installation. Both computers should be members of the production domain. In addition, these computers should include the following settings:

    • Remember that the root CA can run Windows Server 2008 R2 Standard edition. In addition, it should be disconnected from the network after the installation is complete, for security purposes.

    • The enterprise issuing CA must run on either Windows Server 2008 R2 Enterprise edition or Windows Server 2008 R2 Datacenter edition.

    • The root CA needs at least two drives, and the issuing CA should have three drives to store the certificate database and its logs.

  • A special user account, if you choose to install the NDES service. Create a domain account and make it a member of the local IIS_IUSRS group on each server that will host this service. For example, you could name this account NDESService. Because this account will be shared among several computers, it should not be a managed service account.

  • Client computers, ideally running Windows 7, to request and obtain certificates.

Now you can move on to the actual installation. To install a stand-alone root CA, use the procedure described in the following practice.

  •  Google Woos Software Developers At I/O
  •  Active Directory 2008 : Configuring Replication (part 3) - Configuring Intersite Replication, Monitoring Replication
  •  Active Directory 2008 : Configuring Replication (part 2) - Site Links, Bridgehead Servers
  •  Active Directory 2008 : Configuring Replication (part 1) - Connection Objects,The Knowledge Consistency Checker, Intrasite Replication
  •  Active Directory 2008 : Configuring the Global Catalog and Application Directory Partitions (part 2) - Understanding Application Directory Partitions
  •  Active Directory 2008 : Configuring the Global Catalog and Application Directory Partitions (part 1) - Universal Group Membership Caching
  •  Active Directory 2008 : Configuring Sites and Subnets (part 2) - Managing Domain Controllers in Sites, Understanding Domain Controller Location
  •  Active Directory 2008 : Configuring Sites and Subnets (part 1) - Creating Sites
  •  Exchange Server 2010 : Working with Distribution Groups and Address Lists - Managing Offline Address Books
  •  Exchange Server 2010 : Working with Distribution Groups and Address Lists - Managing Online Address Lists
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    Popular Tags
    Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Exchange Server Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe Photoshop CorelDRAW X5 CorelDraw 10 windows Phone 7 windows Phone 8 Iphone