Scribd
Upload
855 views

Failover Clustering and Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2

Failover Clustering and Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2

Uploaded by

KoMoDo13
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
855 views

Failover Clustering and Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2

Failover Clustering and Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2

Uploaded by

KoMoDo13
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 30

Failover Clustering and Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2

Microsoft Corporation Published: January 2010 By Carsten B. Kinder & Mark B. Cooper

Abstract
Active Directory Certificate Services (AD CS) in Windows Server 2008 and Windows Server 2008 R2 offers greater levels of reliability for t e Certification Aut ority (CA) role service! " is guide details t e setu#$ configuration$ and troubles ooting of AD CS wit t e Failover Clustering feature of Windows Server 2008 and Windows Server 2008 R2!

he infor!ation contained in this docu!ent represents the current "ie# of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft !ust respond to chan$in$ !arket conditions% it should not be interpreted to be a co!!it!ent on the part of Microsoft% and Microsoft cannot $uarantee the accuracy of any infor!ation presented after the date of publication. his docu!ent is for infor!ational purposes only. M&C'()(* M+K,) -( .+''+- &,)% ,/P',)) (' &MP0&,1% +) ( 2, &-*('M+ &(- &- 2&) 1(C3M,- . Co!plyin$ #ith all applicable copyri$ht la#s is the responsibility of the user. .ithout li!itin$ the ri$hts under copyri$ht% no part of this docu!ent !ay be reproduced% stored in or introduced into a retrie"al syste!% or trans!itted in any for! or by any !eans 4electronic% !echanical% photocopyin$% recordin$% or other#ise5% or for any purpose% #ithout the e6press #ritten per!ission of Microsoft Corporation. Microsoft !ay ha"e patents% patent applications% trade!arks% copyri$hts% or other intellectual property ri$hts co"erin$ sub7ect !atter in this docu!ent. ,6cept as e6pressly pro"ided in any #ritten license a$ree!ent fro! Microsoft% the furnishin$ of this docu!ent does not $i"e you any license to these patents% trade!arks% copyri$hts% or other intellectual property. 8 2009 Microsoft Corporation. +ll ri$hts reser"ed. Microsoft% +cti"e 1irectory% .indo#s% .indo#s )er"er% and .indo#s :ista are either re$istered trade!arks or trade!arks of Microsoft Corporation in the 3nited )tates and;or other countries. he na!es of actual co!panies and products !entioned herein !ay be the trade!arks of their respecti"e o#ners.

Configuring Certificate Services in Windows Server 2008

Contents

Configuring Certificate Services in Windows Server 2008

Table of Contents
Contents.................................................................................................................................................. 2 Table of Contents .................................................................................................................................. 3 Introduction............................................................................................................................................. 4 Sco#e!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! & Windows 'ersions " at Su##ort Certificate Services Clustering!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!& Cluster Re(uire)ents!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! & Su##orted De#loy)ent Scenarios!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! & Preparing the CA Cluster Environment................................................................................................ 6 *nstalling t e +#erating Syste) on Cluster ,odes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Setting .# a S ared Storage!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Configuring a ,etwor/ 0S1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Installing and Configuring the CA Cluster........................................................................................... .nderstanding ,a)es .sed in a Cluster Configuration!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2 Setting .# t e CA Server Role on t e First Cluster ,ode!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3 Setting .# t e CA Server Role on additional Cluster ,odes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%4 Setting .# t e Failover Cluster Feature on Cluster ,odes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%2 Creating a Failover Cluster!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! %2 Configuring t e Failover Cluster!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! %2 Configuring t e CR5 Distribution 6oint!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%8 Creating t e CR5 +b7ects in Active Directory!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%3 Configuring t e CA in Active Directory!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 20 Ad7usting t e D,S ,a)e for t e CA in Active Directory!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2% Certification Authorit! "ene#als........................................................................................................ 23 Troubleshooting................................................................................................................................... 2 "elated $in%s........................................................................................................................................ 2&

Configuring Certificate Services in Windows Server 2008

Introduction
" e Failover Clustering feature in Windows Server 2008 #rovides a ig grade of reliability t at can now be leveraged by 1icrosoft Active Directory8 Certificate Services! Wit 1icrosoft Windows Server 2004 and earlier versions$ )ulti#le CAs ad to be de#loyed into an infrastructure to ac ieve redundancy of certificate services! W ile you can still ave )ulti#le CAs o#erating in your Active Directory forest$ wit failover clustering$ t ere is no need to de#loy )ore t an one CA to #rotect certificate services fro) une9#ected failure!

'cope
" is guide describes t e ste#s re(uired to set u# failover clustering wit Windows Server 2008 or Windows Server 2008 R2 and to de#loy a CA on s ared storage wit or wit out a networ/ ardware security )odule (0S1)! S ared storage is always a re(uire)ent for Failover Clustering! " e networ/ 0S1 ensures strong #rotection of t e CA /ey )aterial and re#resents a s ared /ey store at t e sa)e ti)e! " e active node can always connect to t e networ/ 0S1 regardless of w ic # ysical node t e cluster runs on!

(indo#s )ersions That 'upport Certificate 'ervices Clustering


Clustering su##ort for certificate services is #rovided by t e following versions of Windows! Windows Server 2008$ :nter#rise :dition Windows Server 2008$ Datacenter :dition Windows Server 2008 R2$ :nter#rise :dition Windows Server 2008 R2$ Datacenter :dition

Cluster "e*uirements
"o run certificate services in a clustered environ)ent$ you )ust understand t e #rere(uisites and under w at circu)stances a CA cluster is su##orted! A Cluster can onl! run a single instance of Certificate 'ervices. A failover cluster of any si;e can be used to #rovide a ig availability environ)ent for certificate services! 0owever$ 1icrosoft does not su##ort )ore t an one instance of certificate services on a cluster! 'hared storage is re*uired. "o store t e CA database and t e log database for certificate services$ a s ared storage )ust be available to all cluster nodes t at for) t e cluster!

'upported +eplo!ment 'cenarios


De#loying AD CS on a failover cluster can acco)#lis a nu)ber of goals for custo)er environ)ents! " ese goals are often deter)ined by e9isting certificate services servers in an environ)ent! " ere are a nu)ber of ways in w ic a failover cluster can be de#loyed!

Configuring Certificate Services in Windows Server 2008

&

A co)#letely new 6ublic <ey *nfrastructure! A new clustered certificate services CA can be de#loyed to #rovide services in a fault=tolerant configuration even if an e9isting 6<* is already in #lace! A )igration fro) an e9isting Windows 2004 or Windows 2008 Certificate Services CA! *n t is scenario$ an environ)ent as one or )ore CAs t at need to be #reserved and )igrated to a Windows 2008 failover cluster! See AD CS 1igration >uide!

Clustering is onl! supported for the CA service,. 1icrosoft is su##orting clustered configurations of t e CA service! Clustering is not su##orted for ot er CA role services li/e +nline Certificate Status 6rotocol (+CS6)$ or 1icrosoft Si)#le Certificate :nroll)ent 6rotocol (SC:6)! , Clustering of t e Certification Aut ority Web :nroll)ent feature is su##orted$ but as not been tested by t e #roduct tea)$ so is not reco))ended for #roduction de#loy)ents! Refer to t e "roubles ooting section on configuring Web :nroll)ent to wor/ #ro#erly in a clustered environ)ent!

Configuring Certificate Services in Windows Server 2008

Preparing the CA Cluster Environment


" is section focuses on t e #re#aration of t e environ)ent for Certificate Services Cluster!

Installing the -perating '!stem on Cluster .odes


"o #re#are t e cluster nodes$ you ave to install Windows Server 2008 or Windows Server 2008 R2$ :nter#rise :dition on all cluster nodes! De#loying a failover cluster re(uires all cluster nodes to run t e sa)e o#erating syste) version!

'etting /p a 'hared 'torage


Configuring s ared storage can be a co)#le9 tas/! " is guide does not #rovide detailed infor)ation about ow to configure t e s ared storage! "o set u# a s ared storage dis/ for certificate services$ see t e configuration #rocedures t at a##ly for your s ared storage solution! 6lan t e si;e of t e s ared storage de#ending on t e nu)ber of certificates you are enrolling for! -& <@ is a safe esti)ation for a single certificate$ including t e certificate re(uest and #ossibly a recover /ey!

Configuring a .et#or% 0'1


" e configuration of a networ/ 0S1 is s#ecific to t e configuration guidelines of t e vendor! Since no co))on setu# #rocedure e9ists$ it is not addressed in t is guide! "o )a/e a networ/ 0S1 available to your CA cluster$ follow t e ste#s in t e docu)entation #rovided by t e networ/ 0S1 vendor!

Configuring Certificate Services in Windows Server 2008

Installing and Configuring the CA Cluster


" e following sections describe t e installation and configuration of a CA on a failover cluster running on Windows Server 2008 and Windows Server 2008 R2!

/nderstanding .ames /sed in a Cluster Configuration


@efore you begin$ you s ould t in/ about t e na)es t at are used during t e installation #rocedure! *t is i)#ortant to ave t ese na)es #ro#erly defined since t ey are used t roug out t e configuration! " e following table e9#lains t e na)es t at are used in t e subse(uent sections! " e ste#=by=ste# guidance refers to t e underlined labels in t e following list! Cluster node na)e +escription :very Windows co)#uter as a na)eA t erefore$ co)#uters acting as cluster nodes ave a co)#uter na)e! Configured #here " e co)#uter na)e is configured in t e co)#uterBs #ro#erties of a Windows co)#uter! /sed b! " e co)#uter na)es of t e nodes are #er)itted on access control lists (AC5s) in t e following Active Directory ob7ects in t e configuration na)ing conte9t under Services C 6ublic <ey Services! Aut ority *nfor)ation Access (A*A) C <C+ na!e= CD6 (CR5 Distribution 6oint) > <)er"ice na!e= :nroll)ent Services C <C+ na!e= <RA (<ey Recovery Agent) C <C+ na!e= Cluster na)e +escription " e failover cluster as a uni(ue na)e t at is registered in Active Directory! Configured #here " e cluster na)e is configured w en t e failover cluster is set u#! See ste# %0 in DCreating a Failover ClusterE! /sed b! " e na)e of t e cluster is used to refer to a s#ecific cluster in t e Failover Cluster 1anage)ent sna#=in! " ere is no de#endency in regards to t e CA on t is na)e! Service na)e +escription " e service na)e re#resents t e Do)ain ,a)e Syste) (D,S) na)e of t e clustered CA service! Configured #here " e service na)e is configured w en t e CA is set u# as a clustered service! See ste# - in DConfiguring t e Failover ClusterE!/sed b! " e service na)e a##ears as #art of t e CA configuration string! " e service na)e can be (ueried wit certutil -caconfig dns at a co))and=line #ro)#t! " e service na)e is re#resented in t e following Active Directory ob7ects in t e configuration na)ing conte9t under )er"ices C Public Key )er"ices! Certificate Revocation 5ist (CR5) Distribution 6oint (CD6) C <)er"ice na!e= CA na)e +escription " e CA is t e actual na)e of t e CA!
Configuring Certificate Services in Windows Server 2008

Configured #here " e na)e of t e CA is configured w en t e CA service is installed! See ste# %2 in DE! /sed b! " e CA na)e is #art of t e CA configuration string and is dis#layed as t e node na)e in t e Certification Aut ority 1icrosoft 1anage)ent Console (11C) Sna#=in! " e configuration string can be (ueried at a co))and line wit certutil cainfo dsname! " e na)e is written into t e *ssuer attribute on every issued certificate and is also used in t e following Active Directory ob7ects in t e configuration na)ing conte9t under Services C 6ublic <ey Services! A*A C <C+ na!eF CD6 C <)er"ice na!e= C <C+ na!e= Certification Aut orities C <C+ na!e= :nroll)ent Services C <C+ na!e= <RA C <C+ na!e= " e following screens ots s ow w ere t e na)es a##ear in t e Failover Cluster 1anage)ent Sna#=in and in t e Certification Aut ority Ad)inistration Sna#=in! For illustration #ur#oses$ t e ob7ects are labeled according to t e na)es described #reviously!

Configuring Certificate Services in Windows Server 2008

'etting /p the CA 'erver "ole on the 2irst Cluster .ode


" is section e9#lains ow to install certificate services on t e first cluster node! *t is i)#ortant to understand t at t e s ared resources$ li/e t e dis/ storage t at /ee#s t e CA database and log file$ )ust be available to t e CA during setu#! Releasing t ese resources for setting u# t e second node is also i)#ortant after t e setu# of t is node is finis ed!

0ere are t e ste#s to configure t e first cluster node! %! 5og on to t e cluster node wit #er)issions to install t e first cluster node! "o install an enter#rise CA$ log on wit enter#rise #er)issions to t e Active Directory do)ain! "o install a stand=alone CA$ you )ay log on wit local ad)inistrator #er)issions if you do not want to register t e CA in t e Active Directory configuration container! " e ne9t ste#s describe ow to confir) t at t e s ared dis/ is available to t e node! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e servermanager.msc$ and t en clic/ -3! 4! " e 'erver 1anager 11C Sna#=in o#ens! :9#and t e 'torage node and select +is% 1anagement! &! 1a/e sure t at t e s ared dis/ t at is used for t e CA is online!

*f you are using a networ/ 0S1$ to confir) t at a networ/ 0S1 is available to t e first node :9#and t e +iagnostics node in t e left #ane of t e Server 1anager Sna#=in$ and t en clic/ 'ervices! 1a/e sure t at t e service t at connects to t e networ/ 0S1 is started! Refer to t e 0S1 vendor for service infor)ation!

,ow$ you are going to install t e Certificate Services on t e first node! ?! *n t e left #ane of t e Server 1anager Sna#=in$ select t e "oles node! -! +n t e Action )enu$ clic/ Add "oles! 2! +n t e 'elect 'erver "oles #age$ )ar/ Active +irector! Certificate 'ervices$ and t en clic/ .e4t twice! 8! +n t e 'elect "ole 'ervices #age$ )a/e sure t at only Certification Authorit! is )ar/ed$ and t en clic/ .e4t! ,o CA service ot er t an t e CA is su##orted in a clustered environ)ent! 3! Select t e setu# ty#e for t e CA and clic/ .e4t! %0! Select t e CA ty#e for t e CA and clic/ .e4t! %%! Select Create a ne# private %e! and clic/ .e4t!

*f you are using a networ/ 0S1$ select t e cry#togra# ic service #rovider (CS6) #rovided by t e 0S1 vendor fro) t e list Configuring Certificate Services in Windows Server 2008

and set t e desired /ey lengt ! Clic/ .e4t! ,ote t is CS6 na)e as you will need it in t e ne9t section w en using t e certutil 5repairstore co))and!

Configuring Certificate Services in Windows Server 2008

%0

%2! :nter t e CA na)e and clic/ .e4t! For )ore infor)ation about t e CA na)e$ see D.nderstanding ,a)es .sed in a Cluster ConfigurationE! %4! *f you are configuring a root CA$ define t e validity #eriod! *f using a subordinate CA$ c oose w et er to sub)it t e re(uest online or save it to a file! Clic/ .e4t! %&! C ange t e default #at s for t e database and log files to t e desired location on t e s ared storage drive setu# in DSetting .# a S ared StorageE! Clic/ .e4t! %?! Clic/ Install! As a ne9t ste#$ t e CA certificate )ust be e9#orted! %-! Clic/ t e 'tart button$ #oint to "un$ ty#e certsrv.msc$ and t en clic/ -3! %2! Select t e CA node in t e left #ane! %8! +n t e Action )enu$ clic/ All Tas%s$ and t en clic/ 6ac%up CA! %3! +n t e Welco)e #age of t e CA bac/u# wi;ard$ clic/ .e4t! 20! Select Private %e! and CA certificate and #rovide a directory na)e w ere you want to te)#orarily store t e CA certificate and o#tionally t e /ey! Clic/ .e4t! 2%! 6rovide a #assword to #rotect t e CA /ey and clic/ .e4t! 22! Clic/ 2inish!

*f you are using a networ/ 0S1$ a warning )essage will dis#lay telling you t at t e #rivate /ey cannot be e9#orted! " is is e9#ected be avior because t e #rivate /ey will never leave t e 0S1! Clic/ -3 to continue!

" e CA service )ust be s ut down to unloc/ t e dis/ resources! 24! W ile t e CA is selected in t e left #ane$ on t e Action )enu$ clic/ All Tas%s$ and t en clic/ 'top 'ervice! 2&! Close t e Certification Aut ority 11C Sna# in! Detac t e s ared storage fro) t e cluster node! 2?! >o to t e 'erver 1anager 11C Sna#=in$ e9#and t e 'torage node$ and t en select +is% 1anagement! 2-! C ange t e state of t e dis/ /ee#ing t e CA database to offline!

Release t e 0S1 fro) t e cluster node! :9#and t e +iagnostics node in t e left #ane of t e 'erver 1anager view and clic/ 'ervices! Select t e service t at wor/s wit t e 0S1! +n t e Action )enu$ clic/ 'top!

Configuring Certificate Services in Windows Server 2008

%%

22! 5og off Cluster node one! " e installation of t e Certification Aut ority on t e first node is now co)#lete!

Configuring Certificate Services in Windows Server 2008

%2

'etting /p the CA 'erver "ole on additional Cluster .odes


" is section e9#lains ow to set u# any additional cluster nodes! " e configuration of t e additional nodes is slig tly different fro) t e first node! So)e configuration settings are already defined on t e first node so t ey only need to be a##lied on t e ot er nodes! *nstall t e CA on anot er cluster node! %! 5og on to t e cluster node wit #er)issions to install t e cluster node as e9#lained in Ste# %! Confir) t e s ared dis/ available to t e cluster node! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e servermanager.msc$ and t en clic/ -3! 4! " e 'erver 1anager 11C Sna#=in o#ens! :9#and t e 'torage node and select +is% 1anagement! &! 1a/e sure t at t e s ared dis/ t at is used for t e CA is online!

*f you are using a networ/ 0S1$ to confir) t at a networ/ 0S1 is available to t e node :9#and t e +iagnostics node in t e left #ane of t e Server 1anager Sna#=in$ and t en clic/ 'ervices! 1a/e sure t at t e service t at connects to t e networ/ 0S1 is started! Refer to t e 0S1 vendor for service infor)ation!

*)#orting t e CA certificate into t e local )ac ine certificate store! ?! Co#y t e #reviously e9#orted CA certificate to t e second cluster node! -! Clic/ t e 'tart button$ #oint to "un$ ty#e mmc$ and t en clic/ -3! 2! +n t e 2ile )enu$ clic/ Add7remove 11C Sna#=in! 8! Select Certificates fro) t e list of available sna#=ins and clic/ Add! 3! Select Computer account$ clic/ 2inish twice$ and t en$ clic/ -3! %0! *n t e Certificate 1anager 11C Sna#=in$ e9#and t e Certificates 8$ocal Computer9 node and select t e Personal store! %%! +n t e Action )enu$ clic/ All Tas%s$ and t en clic/ Import! %2! *n t e Certificate *)#ort Wi;ard$ clic/ .e4t! %4! :nter t e file na)e of t e CA certificate t at was #reviously created on t e first node and clic/ .e4t! *f you use t e 6ro#se button to find t e certificate$ c ange t e file ty#e to Personal Information Exchange (*.pfx,*.p12)! %&! "y#e t e #assword t at you ave #reviously used to #rotect t e #rivate /ey! " e #assword is re(uired even if t ere is no #rivate /ey in t e 6FG file! Do not )ar/ t is /ey as e9#ortable! Clic/ .e4t!

Configuring Certificate Services in Windows Server 2008

%4

%?! 6lace t e certificate in t e Personal certificate store and clic/ .e4t! %-! "o i)#ort t e certificate$ clic/ 2inish! %2! "o confir) t e successful i)#ort$ clic/ -3!

Configuring Certificate Services in Windows Server 2008

%&

*f you are using a networ/ 0S1$ you )ust re#air t e association between t e certificate and t e #rivate /ey t at is stored in t e 0S1!

*n t e Certificate 1anager 11C Sna#=in$ e9#and t e Personal store and select t e Certificates container!

Select t e i)#orted certificate! +n t e Action )enu$ clic/ -pen! >o to t e +etails tab! Select t e field 'erial .umber: co#y t e serial nu)ber to t e Cli#board$ and t en clic/ -3! At a co))and=line #ro)#t$ ty#e

certutil Cre#airstore Ccs# DHCS6 6roviderna)eFE 1y IHSerialnu)berFI and t en #ress E.TE"!

For e9a)#leJ certutil Cre#airstore 1y I-23bdaba-8?30bbd&88c28e0ac?2bc2bI

*nstalling Certificate Services on t e node %8! Return to t e 'erver 1anager 11C sna#=in! %3! *n t e left #ane$ select t e "oles node! 20! +n t e Action )enu$ clic/ Add "oles! 2%! +n t e 'elect Server Roles #age$ )ar/ Active +irector! Certificate 'ervices and clic/ .e4t twice! 22! +n t e 'elect Role Services #age$ )a/e sure t at only Certification Authorit! is )ar/ed and clic/ .e4t! ,o CA service ot er t an t e CA is su##orted in a clustered environ)ent! 24! Select t e e9act sa)e setu# ty#e for t e CA t at you used for t e first node and clic/ .e4t! 2&! Select t e e9act sa)e CA ty#e for t e CA t at you used for t e first node and clic/ .e4t! 2?! Select /se e4isting private %e!$ c oose 'elect a certificate and use its associated private %e! $ t en clic/ .e4t! 2-! Select t e CA certificate t at was generated on t e first node and clic/ .e4t! 22! C ange t e default #at s for t e database! *n t e dialog bo9 stating t at an e9isting database was found$ select ;es to overwrite it! 28! C ange t e default #at s for t e database log location! *n t e dialog bo9 stating t at an e9isting database was found$ select ;es to overwrite it! Clic/ .e4t to continue! 23! Clic/ Install! 40! "o finis t e "ole installation$ clic/ Close!
Configuring Certificate Services in Windows Server 2008

%?

4%! 5og off fro) t e cluster node!

Configuring Certificate Services in Windows Server 2008

%-

'etting /p the 2ailover Cluster 2eature on Cluster .odes


" e Failover Cluster su##ort is a feature in Windows Server 2008 :nter#rise and Datacenter :dition! Re#eat t e following ste#s on all cluster nodes t at will #otentially run t e Active Directory Certificate Services! %! 5og on to one of t e cluster nodes wit local ad)inistrator #er)issions! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e servermanager.msc$ and t en clic/ -3! 4! " e 'erver 1anager 11C Sna#=in o#ens! *n t e left #ane$ select t e 2eatures node! &! +n t e Action )enu$ clic/ Add 2eatures! ?! *n t e list of available features$ )ar/ 2ailover Clustering and clic/ .e4t! -! Clic/ Install! 2! Clic/ Close!

Creating a 2ailover Cluster


%! 5og on to t e cluster node t at is still attac ed to t e s ared storage drive! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e Cluadmin.msc$ and t en clic/ -3! 4! *f t e 6efore !ou begin #age a##ears$ clic/ .e4t! &! :nter t e cluster node na)e (co)#uter na)e) of t e first cluster node and clic/ Add! For )ore infor)ation about t e cluster node na)e$ see D.nderstanding ,a)es .sed in a Cluster ConfigurationE! ?! :nter t e cluster node na)e of t e ot er cluster nodes and clic/ Add! -! Clic/ .e4t to continue! 2! "o #erfor) t e validation tests$ c ose ;es and clic/ .e4t twice! 8! <ee# t e default o#tion to "un all tests and clic/ .e4t twice! 3! 'erify t e cluster test re#ort and clic/ 2inish! %0! 6rovide t e cluster na)e! " is na)e is not relevant for t e later CA configuration! For )ore infor)ation about t e CA na)e$ see D.nderstanding ,a)es .sed in a Cluster ConfigurationE! %%! 'iew t e cluster creating re#ort and clic/ 2inish!

Configuring the 2ailover Cluster


Certificate services )ust be configured as a cluster resource! %! *n t e 2ailover Cluster 1anagement Sna#=in$ select t e 'ervices and Applications node in t e left #ane! 2! +n t e Action )enu$ clic/ Configure a service or Application! 4! *f t e 6efore !ou begin #age a##ears$ clic/ .e4t.

Configuring Certificate Services in Windows Server 2008

%2

&! *n t e list of services and a##lications$ select <eneric 'ervice and clic/ .e4t! ?! *n t e list of services$ select Active +irector! Certificate 'ervices and clic/ .e4t! -! C oose t e service na)e and clic/ .e4t! For )ore infor)ation about t e service na)e$ see D.nderstanding ,a)es .sed in a Cluster ConfigurationE! 2! 1ar/ t e dis/ storage t at is still )ounted to t e node and clic/ .e4t! 8! "o configure a s ared registry ive$ clic/ Add$ ty#e ';'TE1=CurrentControl'et='ervices=Cert'vc and t en clic/ -3! 3! Clic/ .e4t twice! %0! Clic/ 2inish to co)#lete t e failover configuration for certificate services! %%! *n t e left #ane$ e9#and t e 'ervices and Applications node and select t e newly created clustered service! %2! *n t e )iddle #ane$ select <eneric 'ervice! +n t e Action )enu$ clic/ Properties! %4! C ange t e 'esource -a!e to Certification Authorit! and clic/ -3! At t is stage$ you can )ove t e certification aut ority between all nodes!
*f you ave installed a service to access t e networ/ 0S1$ it is reco))ended t at you create a de#endency between t e CA and t e networ/ 0S1 service! "o configure t is de#endency$ follow t ese o#tional ste#sJ *n t e 2ailover Cluster 1anagement Sna#=in$ select t e 'ervices and Applications node and select t e #reviously created na)e of t e clustered service in t e )iddle #ane! +n t e Action )enu$ select Add a resource and t en <eneric 'ervice! " e new resource wi;ard a##ears! *n t e list of available services$ select t e na)e of t e service t at was installed to connect to your networ/ 0S1! Clic/ .e4t twice! Clic/ 2inish! .nder t e 'ervices and Applications node in t e left #ane$ clic/ t e na)e of t e clustered services! Select t e newly created >eneric Service in t e )iddle #ane! +n t e Action )enu$ clic/ Properties! +n t e <eneral tab$ rena)e t e service na)e if desired and clic/ -3! 1a/e sure t at t e service is +nline! Select t e service #reviously na)ed Certification Aut ority in t e )iddle #ane! +n t e Action )enu$ clic/ Properties! +n t e +ependencies tab$ clic/ Insert: select t e networ/ 0S1 service fro) t e list$ and t en clic/ -3!

Configuring the C"$ +istribution Point


" e CA configuration tas/s s ould always be #erfor)ed on t e active cluster node! *n t e default CA configuration$ t e serverBs s ort na)e is used as #art of t e CR5 and A*A #at ! W en a CA is running on a failover cluster$ t e serverBs s ort na)e )ust be re#laced wit t e clusterBs na)e in t e CR5 and A*A .nifor) Resource 5ocator (.R5)!
Configuring Certificate Services in Windows Server 2008

%8

Kou )ust restart t e CA service after c anging t e CR5 and A*A! Follow t ese ste#s to )a/e c anges to t e CR5 and A*A .R5sJ %! 5og on to t e active cluster node wit local ad)inistrator #er)issions! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e regedit$ and t en clic/ -3! 4! :9#and t e following containers in t e registry! 0<51LSKS":1LCurrentControlSetLServicesLCertSvcLConfiguration &! Select t e na)e of t e CA in t e Configuration container! ?! *n t e rig t #ane$ o#en C"$Publication/"$s for editing! -! Re#lace all occurrences of >2 wit t e service na)e t at was defined in ste# - in DConfiguring t e Failover ClusterE! " e service na)e also a##ears in t e Failover Cluster 1anage)ent under t e Services and A##lications node! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e cmd$ and t en clic/ -3! 8! At t e co))and=line #ro)#t$ ty#e net stop certsvc && net start certsvc and #ress E.TE" to restart t e CA service! 3! At t e co))and=line #ro)#t$ ty#e certutil -CRL and #ress E.TE" to u#date t e CR5 wit t e new settings a##lied #reviously!

Creating the C"$ -b?ects in Active +irector!


" e CR5 container as to be created in Active Directory )anually$ and t e CR5 )ust be #ublis ed )anually! "o create t e CR5 container$ use t e certutil co))and wit t e Cf o#tion! %! 5og on to t e active cluster node wit enter#rise #er)issions! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e cmd$ and t en clic/ -3! 4! At t e co))and=line #ro)#t$ ty#e cd %WINDIR%\S stem!"\CertSrv\Cert#nroll and #ress E.TE"! &! "o #ublis t e CR5 to Active Directory$ ty#e certutil -f -dspu$lis% &CRLfile' and #ress E.TE"! For e9a)#leJ certutil -f -dspu$lis% (C) Cluster*crl(

Configuring Certificate Services in Windows Server 2008

%3

Configuring the CA in Active +irector!


Kou can #erfor) t e following tas/s using any co)#uter in your Active Directory forest w ere t e Active Directory Sites and Services 11C Sna#=in and ADS* :dit are installed! "o install bot tools on Windows Server 2008$ add t e Active Directory Do)ain Services feature fro) t e Re)ote Server Ad)inistration "ools to your server wit Server 1anager! " e A*A ob7ect in Active Directory stores t e CABs certificate! "o enable all cluster nodes to u#date t e CA certificate w en re(uired$ #erfor) t e following ste#sJ %! 5og on to t e co)#uter wit enter#rise #er)issions! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e dssite.msc$ and t en clic/ -3! 4! Select t e to# node in t e left #ane! &! +n t e )ie# )enu$ select 'ho# services node! ?! *n t e left #ane$ e9#and t e 'ervices and Public 3e! 'ervices: and t en select AIA! -! *n t e )iddle #ane$ select t e CA na)e as it s ows in t e Certification Aut ority 11C Sna#=in! 2! +n t e Action )enu$ select Properties! 8! Clic/ t e 'ecurit! tab! 3! Clic/ Add! %0! Clic/ -b?ect T!pes: select Computers$ and t en clic/ -3! %%! "y#e t e co)#uter na)e(s) of t e ot er cluster node(s) as t e ob7ect na)e and clic/ -3! %2! 1a/e sure t at t e co)#uter accounts of all cluster nodes ave 2ull Control #er)issions! %4! Clic/ -3! All cluster nodes also ave to be #er)itted on t e :nroll)ent Services container! %&! *n t e left #ane$ select Enrollment 'ervices! %?! *n t e )iddle #ane$ select t e CA na)e! %-! +n t e Action )enu$ select Properties! %2! Clic/ t e 'ecurit! tab! %8! Clic/ Add! %3! Clic/ -b?ect T!pes$ select Computers$ and clic/ -3! 20! "y#e t e co)#uter na)e(s) of t e ot er cluster node(s) as t e ob7ect na)e and clic/ -3! 2%! 1a/e sure t at t e co)#uter accounts of all cluster nodes ave 2ull Control #er)issions! 22! Clic/ -3! Finally$ you )ust #er)it all cluster nodes on t e <RA container! 24! *n t e left #ane$ select 3"A! 2&! *n t e )iddle #ane$ select t e CA na)e! 2?! +n t e Action )enu$ select Properties!
Configuring Certificate Services in Windows Server 2008

20

2-! Clic/ t e 'ecurit! tab! 22! Clic/ Add! 28! Clic/ -b?ect T!pes$ select Computers$ and t en clic/ -3! 23! "y#e t e co)#uter na)e of anot er cluster node as ob7ect na)e and clic/ -3. Re#eat for all ot er nodes in t e cluster! 40! 1a/e sure t at t e co)#uter accounts of all cluster nodes ave 2ull Control #er)issions! 4%! Clic/ -3! 42! Close t e 'ites and 'ervices 11C Sna#=in!

Ad?usting the +.' .ame for the CA in Active +irector!


W en t e CA service was installed on t e first cluster node$ it created t e :nroll)ent Services ob7ect and #ut its own fully (ualified do)ain na)e (FMD,) into t at ob7ect! Since t e CA can o#erate on any of t e cluster nodes$ t e d,S0ost,a)e of t e :nroll)ent Services ob7ect needs to be c anged to t e service na)e of t e CA! Follow t ese ste#s to c ange t e dns0ost,a)e! %! 5og on to t e co)#uter wit enter#rise #er)issions! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e adsiedit.msc$ and t en clic/ -3! 4! Select A+'I Edit in t e left #ane$ select t e Action )enu$ and t en c ose Connect to! &! *n t e list of well=/nown ,a)ing Conte9ts$ select Configuration and clic/ -3! ?! :9#and t e Configuration$ 'ervices$ and Public 3e! 'ervices container in t e left #ane and select Enrollment 'ervices! -! *n t e )iddle #ane$ select t e na)e of t e cluster CA! +n t e Action )enu$ clic/ Properties! 2! Select t e attribute d.'0ost.ame and clic/ Edit! 8! :nter t e service na)e of t e CA as s own in t e 2ailover Cluster 1anager under 2ailover Cluster 1anagement and clic/ -3 twice! 3! Close A+'Iedit!

Configuring Certificate Services in Windows Server 2008

2%

Configuring Certificate Services in Windows Server 2008

22

Certification Authorit! "ene#als


W en t e clustered Certification Aut ority renews its own certificate$ all nodes in t e cluster )ust be u#dated wit t e renew certificate infor)ation! " is will occur as #art of t e regular )aintenance #rocess of t e Certification Aut orities as well as w en any infrastructure or security re(uire)ents dictate t e renewal!

Follow t ese ste#s to renew t e CA certificate and u#date t e cluster nodes wit t e new CA /ey!

Renew t e CA Certificate and e9#ort t e Certificate and 6rivate /ey! %! 5ocate t e node t at is currently running Active Directory Certificate Services and log on wit local ad)inistrator #er)issions! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e Cluadmin.msc$ and t en clic/ -3 4! .se t e Cluster Ad)inistration tool to ta/e t e ADCS service resource offline! &! Clic/ t e 'tart button$ #oint to "un$ ty#e certsrv.msc$ and t en clic/ -3! ?! Select t e CA node in t e left #ane! -! +n t e Action )enu$ clic/ All Tas%s$ and t en clic/ "ene# CA Certificate! 6ress -3 to ac/nowledge ADCS will be sto##ed during t e renewal! %! Co)#lete t e renewal wi;ard and if necessary$ sub)it your renewal to a #arent CA! 2! +nce t e CA renewal is co)#lete$ ensure t e ADCS service is running and t e ADCS cluster resource is online! 4! *n t e Certification Aut ority tool select t e CA node in t e left #ane! &! +n t e Action )enu clic/ Properties. ?! +n t e <eneral tab select t e newest certificate w ic is at t e botto) of t e list wit t e largest nu)ber! Clic/ )ie# Certificate! -! *n t e Certificate window$ select t e +etails tab$ select t e Thumbprint field and co#y t e value! 2! Clic/ t e 'tart button$ #oint to "un$ ty#e regedit$ and t en clic/ -3! 8! :9#and t e following containers in t e registry! 0<51LSKS":1LCurrentControlSetLServicesLCertSvcLConfiguration 3! Select t e na)e of t e CA in t e Configuration container! %0! *n t e rig t #ane$ o#en CACert0ash for editing! %%! Add t e certificate t u)b#rint to t e botto) of t e e9isting values in t e /ey! %2! .se t e Cluster Ad)inistration tool to ta/e t e ADCS service resource offline and t en bac/ online to co))it c anges to t e s ared storage! %4! Clic/ t e 'tart button$ #oint to "un$ ty#e certsrv.msc$ and t en clic/ -3!
Configuring Certificate Services in Windows Server 2008

24

%&! Select t e CA node in t e left #ane! %?! +n t e Action )enu$ clic/ All Tas%s$ clic/ 6ac%up CA! %-! +n t e Welco)e #age of t e CA bac/u# wi;ard$ clic/ .e4t! %2! Select Private %e! and CA certificate and #rovide a directory na)e w ere you want to te)#orarily store t e CA certificate and o#tionally t e /ey! Clic/ .e4t! %8! 6rovide a #assword to #rotect t e CA /ey and clic/ .e4t! %3! Clic/ 2inish!

Configuring Certificate Services in Windows Server 2008

2&

*f you are using a networ/ 0S1$ a warning )essage will dis#lay telling you t at t e #rivate /ey cannot be e9#orted! " is is e9#ected be avior because t e #rivate /ey will never leave t e 0S1! Clic/ -3 to continue! " e CA service )ust be s ut down to unloc/ t e 0S1 resources W ile t e CA is selected in t e left #ane$ on t e Action )enu$ clic/ All "as/s$ and t en clic/ Sto# Service! Close t e Certification Aut ority 11C Sna# in! :9#and t e +iagnostics node in t e left #ane of t e 'erver 1anager view and clic/ 'ervices! Select t e service t at wor/s wit t e 0S1! +n t e Action )enu$ clic/ 'top!

*)#orting t e CA certificate into t e local )ac ine certificate store on ot er cluster nodes!
*f you are using a networ/ 0S1$ to confir) t at a networ/ 0S1 is available to t e node :9#and t e +iagnostics node in t e left #ane of t e Server 1anager Sna#=in$ and t en clic/ 'ervices! 1a/e sure t at t e service t at connects to t e networ/ 0S1 is started! Refer to t e 0S1 vendor for service infor)ation!

20! Co#y t e #reviously e9#orted CA certificate to t e cluster node! 2%! Clic/ t e 'tart button$ #oint to "un$ ty#e mmc$ and t en clic/ -3! 22! +n t e 2ile )enu$ clic/ Add7remove 11C Sna#=in! 24! Select Certificates fro) t e list of available sna#=ins and clic/ Add! 2&! Select Computer account$ clic/ 2inish twice$ and t en$ clic/ -3! 2?! *n t e Certificate 1anager 11C Sna#=in$ e9#and t e Certificates 8$ocal Computer9 node and select t e Personal store! 2-! +n t e Action )enu$ clic/ All Tas%s$ and t en clic/ Import! 22! *n t e Certificate *)#ort Wi;ard$ clic/ .e4t! 28! :nter t e file na)e of t e CA certificate t at was #reviously created on t e first node and clic/ .e4t! *f you use t e 6ro#se button to find t e certificate$ c ange t e file ty#e to Personal Information Exchange (*.pfx,*.p12)! 23! "y#e t e #assword t at you ave #reviously used to #rotect t e #rivate /ey! " e #assword is re(uired even if t ere is no #rivate /ey in t e 6FG file! Do not )ar/ t is /ey as e9#ortable! Clic/ .e4t! 40! 6lace t e certificate in t e Personal certificate store and clic/ .e4t! 4%! "o i)#ort t e certificate$ clic/ 2inish! 42! "o confir) t e successful i)#ort$ clic/ -3!
Configuring Certificate Services in Windows Server 2008

2?

*f you are using a networ/ 0S1$ you )ust re#air t e association between t e certificate and t e #rivate /ey t at is stored in t e 0S1!

*n t e Certificate 1anager 11C Sna#=in$ e9#and t e Personal store and select t e Certificates container!

Select t e i)#orted certificate! +n t e Action )enu$ clic/ -pen! >o to t e +etails tab! Select t e field 'erial .umber: co#y t e serial nu)ber to t e Cli#board$ and t en clic/ -3! At a co))and=line #ro)#t$ ty#e

certutil Cre#airstore Ccs# DHCS6 6roviderna)eFE 1y IHSerialnu)berFI and t en #ress E.TE"!

For e9a)#leJ certutil Cre#airstore 1y I-23bdaba-8?30bbd&88c28e0ac?2bc2bI

Detac t e s ared storage fro) t e cluster node! >o to t e 'erver 1anager 11C Sna#=in$ e9#and t e 'torage node$ and t en select +is% 1anagement! C ange t e state of t e dis/ /ee#ing t e CA database to offline!

Re#eat as needed for all nodes in t e cluster t at could #otentially run t e ADCS resource!

Configuring Certificate Services in Windows Server 2008

2-

Troubleshooting
2ollo#ing the migration of a (indo#s 'erver 2@@3 Certification Authorit! to a (indo#s 'erver 2@@& 2ailover cluster: Active +irector! Certificate 'ervices fails to start and the event log sho#s Event I+ A 5 CertificationAuthorit!. " is error can be caused w en t e ADCS database is )ar/ed for restore o#erations! 'erify t at t e "estoreInProgress does not e9ist in t e Registry <ey 0<51LSKS":1LCurrentControlSetLServicesLCertSvcLConfiguration! *f it does$ note t e cluster node owning t e ADCS resource in t e Cluster Ad)inistrator tool$ re)ove t e "estoreInProgress /ey on t e node owning t e service$ and restart t e cluster ADCS resource!

Certification Authorit! (eb Enrollment does not #or% properl! on a (indo#s 'erver 2@@& 2ailover cluster if the A+C' service is also installed on the same cluster node. *f t e Certification Aut ority is on t e sa)e node t at t e Web :nroll)ent feature is installed on$ t e nodeBs D,S na)e is used in t e Web :nroll)ent certdat!inc file! *f t e CA is not on t e sa)e node$ t e #roble) does not occur! " e issue is resolved by )odifying t e Nsyste)rootNLsyste)42LcertsrvLcertdat!inc file to c ange t e value of sServerConfig to DOService na)ePLOCA na)ePE

:9a)#le = Certdat!inc file entry! " e two cluster nodesJ ,+D:QQQQ%%2 and ,+D:QQQQ%%8 " e certdat!inc files as t e entries of sServerConfigRI,+D:QQQQ%%2!contoso!co)LC+,"+S+:,"CA%I and sServerConfigRI,+D:QQQQ%%8!contoso!co)LC+,"+S+:,"CA%I

Re)ove all but one sServerConfig line and c ange t e re)aining line toJ

sServerConfigREC5.S":R%!contoso!co)LC+,"+S+:,"CA%E w ere C5.S":R%!contoso!co) is t e FMD, of t e virtual ADCS cluster na)e!

Configuring Certificate Services in Windows Server 2008

22

"elated $in%s
@est 6ractices for *)#le)enting a 1icrosoft Windows Server 2004 6ublic <ey *nfrastructure tt#JSSwww!)icrosoft!co)Stec netS#rodtec nolSwindowsserver2004Stec nologiesSsecuritySws4#/ib#!)s#9 Certificate Server :n ance)ents in Windows Server 2008 tt#JSSwww!)icrosoft!co)SdownloadsSdetails!as#9Tfa)ilyidR3bf%224%=d842=&ff3=8fb8= 0?43ba2%ab3?Udis#laylangRen Windows Server 2008 Failover Clustering Arc itecture +verview$ tt#JSSdownload!)icrosoft!co)SdownloadS4SbS?S4b?%a02?=2?22=&-8-=aa%-=8ae2e?4-04&dSWindows N20ServerN202008N20FailoverN20ClusteringN20Arc itectureN20+verview!doc

Configuring Certificate Services in Windows Server 2008

28

You might also like