Information Technology Reference
In-Depth Information
3. In the Select Server Roles window click
Active Directory Certificate Services
, and then click
Next
.
4. In the Introduction to Active Directory Certificate Services window, read the description and
the paragraph under Things to Note. In particular, note that you can't change the computer
name, join a different domain, or promote the server to a domain controller after the role is
installed. Click
Next
.
5. In the Select Role Services window, the Certification Authority option is selected by default.
Click to select
Online Responder
. The Online Responder role service requires the Web Server
role service, so when you're prompted to add this role service, click
Add Required Role
Services
. If the server were going to be a standalone root CA in a multilevel hierarchy, you
would install only Certification Authority. You can't install NDES until the Certification
Authority role has been installed. Click
Next
.
6. In the Specify Setup Type window, make sure
Enterprise
is selected. If you did not change
this server's DNS address to the address of ServerXX, Enterprise is grayed out. Click
Next
.
7. In the Specify CA Type window, make sure
Root CA
is selected, and then click
Next
.
8. In the Set Up Private Key window, make sure
Create a new private key
is selected. If this CA
were replacing a failed CA, you would click “Select a certificate and use its associated pri-
vate key.” If you had a private key from a previous installation or from an external source,
you would click “Select an existing private key on this computer.” Click
Next
.
9. In the Configure Cryptography for CA window, accept the default selections and click
Next
.
10. The next window requests a name for the CA. By default, the name is generated automati-
cally to include the domain name and server name followed by “CA.” For example, if the
domain is w2k8ad99.com and the server name is Server199, the default CA name is
w2k8ad99-Server199-CA. You can also enter the distinguished name suffix, but usually, the
default is fine. Click
Next
.
11. In the Set Validity Period window, you can set the validity period of the certificate issued
to this CA. The validity period should be specified in the certificate practice statement.
The period you choose depends on how this CA is used and the types of certificates it
will issue. If the certificate expires, the CA is no longer valid, nor are any certificates it
has issued. Certificates can be renewed as needed. Accept the default of 5 years, and then
click
Next
.
12. In the Configure Certificate Database window, you can choose where certificates and the cer-
tificate log should be stored. If the CA will be used heavily, these two databases should be
stored on separate drives and shouldn't be placed on the same drive as the Windows folder.
For testing purposes, you can use the default location of C:\Windows\system32\CertLog for
both databases. Click
Next
.
13. Because you chose to install the Online Responder role service, which requires the Web
Server role service, the Web Server (IIS) window is displayed. Click
Next
.
14. You're prompted to select role services for the Web Server role service. If necessary, you can
make changes to the default selections. For now, accept the defaults and click
Next
.
15. In the Confirm Installation Selections window, review the options you have chosen. You're
also warned that you can't change the computer name or domain name after the CA has
been installed. Click
Install
.
16. When the installation is finished, click
Close
.
17. In Server Manager, you probably have a warning event for AD CS. Click the
Active
Directory Certificate Services
link next to the yellow warning message, and then double-click
the
Warning
message. Read the event information. It explains how you can verify that the
CA certificate was published correctly in Active Directory. Click
Close
.
18. Open a command prompt window, type
gpupdate /force
, and press
Enter
to update the
certificate store (database where certificates are stored). After gpupdate has finished, type
Search WWH ::
Custom Search