locked
Active Directory Certificate Services RRS feed

  • Question

  • I'm about to install ADCS.  Would this in any way effect our current AD. e.g. keeping users or workstations from logging into AD?  The reason I ask it I once had a problem with PKI in Novell and certain eDirectory functions quit working. 
    Friday, November 20, 2009 7:42 PM

Answers

  • Hi Kirk,

    When you configure everything according plan there will be no problem at all. There is a lot to tell about PKI, but maybe I can give you some notes. Some thing you probably already know.

    First of all, when you deploy and Enterprise Root CA or Subordinate CA they create Trusted Root CA certificates for themselves. These certificates are stored in Acitve Directory. Your client will automatically get these trusted root CA certificates. You don't have to create a Group Policy for it. Your clients will then automatically trust your CA('s).

    But... what I do, after installation I disable the services right away. I then modify the CLR and AIA distributions points so that the http path does not have a FQDN like hostnamefromca.yourdomain.local. I change it to something like ca.yourdomain.com. This is important when you want your clients to check the certificates from the internet and such. Maybe I go to fast, but just wanted to let you know.

    Second, you configure certificate templates. By default the Computer (Version 1) cannot be used for automatic enrollment to your servers/clients. You have to make a copy and make it a Computer (Version 2, Windows Server 2008). You can then modify the security and give a Security Group (e.g. Domain Computers) the auto enrollment permissions. From here nothing happens yet.

    Third, you enable the certificate templates on your CA. And fourth, you have to create a Group Policy that let's your computers request a certificate.

    If your client eventlually request certificates, there is no problem at all (yet). The certificates are just there, nothing more. Things are only getting a problems ones you are adding IPSec policies for communication and such. When you say they NEED to use there certificates, that is wehere you have to make sure everything is setup correctly. Else indeed you can get weird scenario's.

    Boudewijn
    Sunday, November 22, 2009 11:13 AM