none
Certificate Services, install on domain controller?

Answers

  • On Mon, 6 Sep 2010 20:37:49 +0000, HendersonD wrote:

    I have a small environment so my original thought was just to have a root CA and not a secondary CA. We are a public school district with about 4,300 students and will be using the CA to issue about 5 or 6 certs to use internally. For example, my wireless controllers (Meru) and my centralized storage (Netapp) both have web based interfaces. When either me or my staff visit these interfaces we always get the message that this may not be a trusted site and have to hit "continue to this site" to get the login screen.

    If I can issue certificates via my own CA and then import them into the Meru and Netapp interfaces, these messages will no longer be displayed. Of course, none of this is visible to anyone outside my network, hence the use of certificates generated internally.

    If you already have certificates that can be used for these devices then
    there's no compelling need to stand up a CA just to get rid of those error
    messages. I'm assuming that these are some kind of self-signed certificates
    and if that's the case then you can either send copies of the certs to
    those who need them and they can manually import them to the Trusted Root
    Certification Authorities store on their local computers, or, you could
    create a GPO and distribute them that way.


    I am thinking about bringing up another WinServer 2008 R2 server under VMWare and using it as my Root CA. After a bit more digging, installing certificate services on an existing domain controller seems like a bad idea.

    Installing any additional role on a domain controller is not good from a
    strict security perspective in that you want to try to minimize the attack
    surface on your DCs. With AD CS you have another problem in that you cannot
    remove Active Directory (in the event you want to decommission a DC for
    example) without first removing AD CS from that DC.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, September 06, 2010 9:16 PM
  • Hi,

    It’s relative easy to build a CA in small environment. Please refer to the following guides:

    Building an Enterprise Root Certification Authority in Small and Medium Businesses
    http://technet.microsoft.com/en-us/library/cc875810.aspx

    Active Directory Certificate Services Step-by-Step Guide
    http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, September 08, 2010 10:23 AM
    Moderator

All replies

  • What is best practice for where certificate services should be installed? On my primary domain controller? On one of the other domain controllers? On a separate member server dedicated to this service? I have found the following articles on installing this service but it does not mention where it should be installed.

    The best practices for the Active Directory certificate services:

    1- You should use Secondary Enterprise CAs to issue and manage certificates.

    2- The Enterprise Root CA should be kept offline

    The Enteprise Root CA should be kept offline because of the following:

    Let's suppose a hacker attacked an Enterprise Secondary CA. In this case, you can revoke its certificate so that all the certificates issued by this CA will be revoked.

    Let's suppose a hacker attacked an Enterprise Root CA. Here, you may be in big problems.

     

    So, in your case, I recommand to you to:

    1- Install the Enterprise Root CA on a server that ensure no services

    2- Install your Enterprise Secondary CAs that will issue and manage certificates. (You can use a new server, there is no problem with that)

    3- Keep offline your Enterprise Root CA once you installed and certified all your Secondary CAs.

    So, there is no need to install the AD CS on domain controllers. You should just keep in mind what I told you.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

     

    Monday, September 06, 2010 2:51 PM
  • On Mon, 6 Sep 2010 14:51:10 +0000, Mr  X wrote:

    2- The Enterprise Root CA should be kept offline

    An Enterprise CS cannot, by definition be offline.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, September 06, 2010 3:01 PM
  • On Mon, 6 Sep 2010 15:01:44 +0000, Paul Adare wrote:

    An Enterprise CS cannot, by definition be offline.

    CS should be CA.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, September 06, 2010 3:04 PM
  • I have a small environment so my original thought was just to have a root CA and not a secondary CA. We are a public school district with about 4,300 students and will be using the CA to issue about 5 or 6 certs to use internally. For example, my wireless controllers (Meru) and my centralized storage (Netapp) both have web based interfaces. When either me or my staff visit these interfaces we always get the message that this may not be a trusted site and have to hit "continue to this site" to get the login screen.

    If I can issue certificates via my own CA and then import them into the Meru and Netapp interfaces, these messages will no longer be displayed. Of course, none of this is visible to anyone outside my network, hence the use of certificates generated internally.

    I am thinking about bringing up another WinServer 2008 R2 server under VMWare and using it as my Root CA. After a bit more digging, installing certificate services on an existing domain controller seems like a bad idea.

    Your thoughts?

    Monday, September 06, 2010 8:37 PM
  • On Mon, 6 Sep 2010 20:37:49 +0000, HendersonD wrote:

    I have a small environment so my original thought was just to have a root CA and not a secondary CA. We are a public school district with about 4,300 students and will be using the CA to issue about 5 or 6 certs to use internally. For example, my wireless controllers (Meru) and my centralized storage (Netapp) both have web based interfaces. When either me or my staff visit these interfaces we always get the message that this may not be a trusted site and have to hit "continue to this site" to get the login screen.

    If I can issue certificates via my own CA and then import them into the Meru and Netapp interfaces, these messages will no longer be displayed. Of course, none of this is visible to anyone outside my network, hence the use of certificates generated internally.

    If you already have certificates that can be used for these devices then
    there's no compelling need to stand up a CA just to get rid of those error
    messages. I'm assuming that these are some kind of self-signed certificates
    and if that's the case then you can either send copies of the certs to
    those who need them and they can manually import them to the Trusted Root
    Certification Authorities store on their local computers, or, you could
    create a GPO and distribute them that way.


    I am thinking about bringing up another WinServer 2008 R2 server under VMWare and using it as my Root CA. After a bit more digging, installing certificate services on an existing domain controller seems like a bad idea.

    Installing any additional role on a domain controller is not good from a
    strict security perspective in that you want to try to minimize the attack
    surface on your DCs. With AD CS you have another problem in that you cannot
    remove Active Directory (in the event you want to decommission a DC for
    example) without first removing AD CS from that DC.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Monday, September 06, 2010 9:16 PM
  • The problem is these devices cannot generate a self signed certificate. This is the reason I thought about standing up another server just so I can installe Certificate Services and issue self signed certificates. When I had only one device (site) that gave this message it was no big deal. Now I have 6 devices that all have web interfaces and when visiting these interfaces my staff and I are always hit with the security message.
    Tuesday, September 07, 2010 2:02 PM
  • Hi,

    It’s relative easy to build a CA in small environment. Please refer to the following guides:

    Building an Enterprise Root Certification Authority in Small and Medium Businesses
    http://technet.microsoft.com/en-us/library/cc875810.aspx

    Active Directory Certificate Services Step-by-Step Guide
    http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, September 08, 2010 10:23 AM
    Moderator
  • I know I am a more than a little late to the party, however, it would seem that, from my understanding of virtualization, this would be a prime opportunity to use such. It would seem that you could put a virtual server in place to perform as your CA. I am a novice at the whole vrtualization stuff and have been out of the server arena for quite a while, but I would think your best option here to pool multiple servers to serve as a cluster hosting multiple virtual servers? That is, if I understand the whole architecture bit correctly.  My understanding is that you can take X number of physical servers to create what would functionally be one big server to host any number of virtual servers?  I am all ears to any better information.

    Mike


    Mike
    Wednesday, April 27, 2011 11:01 AM