2. New AD CS Features in Windows Server 2008 R2
As with other AD technologies in Windows Server 2008 R2, AD CS
has been updated to include additional features. Three new features are available:
-
Certificate Enrollment and Certificate Enrollment Policy
Web Services
-
Certificate enrollment across forests
-
Better support for high-volume CAs
Each of these features is focused on either better
administration of your AD CS deployment or better support for large AD
CS deployments.
The new Web Services for AD CS feature provides support for
certificate enrollment over the Hypertext Transfer Protocol (HTTP). The Web Service
acts as a proxy between the client and the Certificate Authority.
This makes direct communication between the two unnecessary and
facilitates certificate enrollment over the Internet as well as
across AD DS forests. Mobile workers, business partners, and remote
users can now enroll for certificates directly over the Internet,
making it simpler to support them. Large organizations or
organizations that must interact across AD DS forest boundaries can
also enjoy a simpler enrollment process through these Web
Services.
Warning
IMPORTANT
CERTIFICATE ENROLLMENT WEB SERVICE IN EXTRANETS
For the Certificate Enrollment Web Service to submit and
support requests for new certificates on behalf of clients, it
must be trusted for delegation. When you deploy the Web Service in
an extranet, it may increase the threat of a network attack. To
protect your network, configure the Web Service and the issuing CA
to accept only renewal requests signed with existing certificates.
This provides a more secure deployment because it no longer
requires delegation. However, this configuration does not support
clients without existing certificates.
To work with the new AD CS Web Services, your network
configuration must meet the following requirements:
-
The forest functional level must be Windows Server 2008
R2.
-
Your enterprise CA must be running Windows Server 2008 R2,
Windows Server 2008, or Windows Server 2003.
-
Client computers must run Windows 7.
-
To support cross-forest enrollment, the enterprise CAs in
each forest must run either the Enterprise or Datacenter edition
of Windows Server.
Rely on this feature if you need either cross-forest
enrollment or enrollment over the Internet.
Enrollment across Forests
As mentioned earlier, cross-forest enrollment is provided by the new AD CS
Web Services. However, for cross-forest enrollment to work, the
forests must also include a two-way trust relationship and the
forest functional level must be at least Windows Server 2003. If your organization must rely on
multiple forests, and you have PKI deployments within each forest,
you can rely on this feature to facilitate enrollments across your
forests. Note that CAs can now issue certificates across forests
with a forest functional level of Windows Server 2003, but for
enrollment to work you need a forest functional level of Windows
Server 2008 R2. Client computers do not need an update to work with
this feature.
However, you can simplify your CA deployments by removing CAs
from other forests and centralizing the issuing CA in one single
forest. This provides support for certificate use in multiple
forests while running only one AD CS deployment.
Some organizations, such as those that have deployed the
Windows Server Network Access Protection (NAP) feature, may require
higher volume certificate management than others. When you use a
technology such as NAP, your CAs issue a vast number of health
certificates. These are used each time a client tries to connect to
your network. NAP health certificates are very short-lived and
usually last only a matter of hours before they expire. Because of
this, a CA might issue several different certificates per computer
each day. This high volume of certificates can slow down the CA and
have an impact on performance overall.
With Windows Server 2008 R2, organizations can choose to
bypass certain CA database operations to improve CA performance in
these scenarios. By default, CAs store both a record of each
certificate request and the issued certificate in the CA database.
This means that the CA database can become quite bulky in large NAP
deployments. By bypassing the storage of certificates in the
database—in fact, not storing either the request records or the
issued certificates in the CA database—you can improve the CA’s
performance and reduce CA operational costs. This feature is called
non-persistent certificate processing.
Installing AD CS is a much more involved process than installing
Active Directory Lightweight Directory Services (AD LDS). This is
because of the choice between stand-alone and enterprise CAs and the
subsequent choices that ensue from this original decision.
In most cases, you will install at least a two-tiered structure,
installing first a stand-alone CA, then an enterprise CA. In larger
organizations, you will deploy several tiers and install several
servers in each tier except the root.
Servers hosting the AD CS role should be configured with the
following capabilities, whether they are physical or virtual:
-
Multiple processors, because this accelerates the
certificate allocation process.
-
Minimal amounts of RAM, because RAM has little effect on
certificate processing. VMs need no more than 512 MB of
RAM.
-
Separate disks for the certificate store. Ideally, you
should have at least one data disk and store the database on it.
Issuing servers for large communities should also have a separate
disk for log files.
-
Key lengths kept to medium sizes, to obtain the best
performance from the server. Key lengths have an impact on CPU and
disk usage. Short keys require more disk overhead. Long keys
require more CPU usage and less disk activity.
-
If using physical systems, a redundant array of inexpensive
disks (RAID) level that is balanced between reliability and
improved performance.
Warning
IMPORTANT
INSTALLATION ON WINDOWS SERVER 2008 R2
The AD CS role can now be installed on Server Core in Windows
Server 2008 R2. The installation is provided by a Visual Basic
script and installs all of the required components to run a CA. This
means that if you install CAs in perimeter networks, you should
consider installing it on a Server Core installation to keep it more
secure.
Different editions of Windows Server 2008 R2 offer different
features in support of AD CS. Table 3 outlines the
supported features based on the selected edition.
Table 3. AD CS Features per Windows Server 2008 R2 Edition
|
SUPPORTED COMPONENTS AND FEATURES |
WEB |
STANDARD |
ENTERPRISE |
DATACENTER |
|---|
|
Stand-alone certificate authority |
☐ |
☑ |
☑ |
☑ |
|
Enterprise certificate authority |
☐ |
☐ |
☑ |
☑ |
|
Network Device Enrollment Service
(NDES) |
☐ |
☐ |
☑ |
☑ |
|
Online responder service |
☐ |
☐ |
☑ |
☑ |
|
Key archival |
☐ |
☐ |
☑ |
☑ |
|
Role Separation |
☐ |
☐ |
☑ |
☑ |
|
Certificate Manager restrictions |
☐ |
☐ |
☑ |
☑ |
|
Delegated enrollment agent
restrictions |
☐ |
☐ |
☑ |
☑ |
Preparing for AD CS Installation
You must prepare your environment before installing AD CS. The prerequisites for a typical AD
CS installation include the following:
-
An AD DS forest with at least a forest root domain.
Preferably, you also have a child production domain.
-
Computers to run the certificate authorities used in your
hierarchy. In the simplest typical deployment, this means at
least two computers: one for the root CA and one for the issuing
CA. The issuing CA can also host the online responder service
and NDES. The issuing CA requires the installation of IIS, but
the AD CS installation process automatically adds this feature
during installation. Both computers should be members of the
production domain. In addition, these computers should include
the following settings:
-
Remember that the root CA can run Windows Server 2008
R2 Standard edition. In addition, it should be disconnected
from the network after the installation is complete, for
security purposes.
-
The enterprise issuing CA must run on either Windows
Server 2008 R2 Enterprise edition or Windows Server 2008 R2
Datacenter edition.
-
The root CA needs at least two drives, and the issuing
CA should have three drives to store the certificate
database and its logs.
-
A special user account, if you choose to install the NDES
service. Create a domain account and make it a member of the
local IIS_IUSRS group on each server that will host this
service. For example, you could name this account NDESService.
Because this account will be shared among several computers, it
should not be a managed service account.
-
Client computers, ideally running Windows 7, to request
and obtain certificates.
Now you can move on to the actual installation. To install a
stand-alone root CA, use the procedure described in the following
practice.
