How to Install Enterprise Certificate Authority on a Windows 2008 Server

How to Install Enterprise Certificate Authority on a Windows 2008 Server

1. Open Server Manager.
2. Select Roles, then click Add Roles in the center pane.

3. The Before You Begin page may show up if you haven’t turned it off already. If you see it just click Next.
4. In the Select Server Roles window go ahead and select Active Directory Certificate Services by placing a checkmark next to it, then go ahead and click Next.

5. Now you will see an Introduction to Active Directory Certificate Services, where you can read about the good things you can do with AD CS.
The biggest thing to note here is the following:
Name & Domain settings of this computer cannot be changed after a CA has been installed. If you want to change the computer name, join a domain, or promote this server to a domain controller do so BEFORE install thing the CA.
Now with that warning out of the way, go ahead and click on Next.

6. Next you get to Select Role Services, which can include any of the following depending on what version of Windows Server 2008 you are installing this on — refer to the table above for specifics.
For this install I am going to choose the Certification Authority only.

7. Now comes the Specify Setup Type, and for this I am going to select the Enterprise radio button.

8. For the Specify CA Type, I am going to choose the Root CA radio button and then click Next.

9. In Set Up Private Key, I am going to choose Create a new private key radio button and then select Next.

10. Now you have to Configure Cryptography for CA in this window and there are quite a few to choose from.
Now I am no expert on cryptography, but some basic rules do apply … the longer the key the harder it is to crack. For our purposes I am going to use the following settings:
RSA#Microsoft Software Key Storage Provider
4096 Key Character length
md5 Hash algorithm
Now I am going to click Next.

11. In Configure CA Name you can choose to overwrite the default common name for this CA and also the Distinguished name suffix if you so choose.
I am going to overwrite the default common name with Test-Enterprise-CA, but I will leave the rest alone.

12. Next we will Set Validity Period for this CAs certificate.
Remember a root CA issues itself a certificate. The default is 5 Years so I will just leave it at that. You can change this based on any need you might have in your environment. Click Next.

13. Configure Certificate Database will let you specify where you want to put the database and log files for the CA.
I am going to leave the default in place. Click Next.

14. On the Confirm Installation Selections you can see the answers you have chosen and you will again see a warning that you cannot change the computer name or domain settings for this server after installing the CA.
Go ahead and click Install… you know you want to!

15. After a few minutes you will see the Installation Results, and with any luck you will have the message: Installation succeeded.
After your glow of certificate happiness fades go ahead and click Close.

16. Now let’s go in and take a look by clicking on Certification Authority in Administrative Tools (if you get a UAC pop up just click Ok).

17. Now you can see the snap-in is showing the CA named Test-Enterprise-CA in the left pane with a bunch of folders for certificates.

18. You can also see that if you click the Certificate Templates folder, there are quite a few default templates that are already setup and ready to go.

Summary

Installing Active Directory on Windows Server 2008 R2 Enterprise 64-bit

---

This article provides prerequisites and steps for installing Active Directory Domain Services (AD DS) on Microsoft Windows Server 2008 R2 Enterprise 64-bit (W2K8).
This article does not provide instructions for adding a Domain Controller (DC) to an already existing Active Directory Forest Infrastructure.
Prepare for Active Directory
Before you install AD DS on a Rackspace Cloud Server running Windows Server 2008 R2 Enterprise 64-bit (W2K8), you must perform the following prerequisite tasks.

Select Domain Name and Password

Select your domain name and know the domain administrator password that you want to use.
Note: Although it is not required, we recommend that you use a multiple name format for your domain name. For example, use domainName.com or domainName.local rather than simply domainName.

Specify the Preferred DNS Server

Windows Server 2008 can properly install and configure DNS during the AD DS installation if it knows that the DNS is local. You can accomplish this by having the private network adapter’s preferred DNS server address point to the already assigned IP address of the same private network adapter, as follows:

1. From the Windows Start menu, open Administrative Tools > Server Manager.
2. In the Server Summary section of the Server Manager window, click View Network Connections.
   
3. In the Network Connections window, right-click the private adapter and select Properties.
   
4. Select Internet Protocol Version 4, and then click Properties.
   
5.  Copy the IP address that is displayed in the IP address box and paste it into the Preferred DNS server box. Then, click OK.
   
6. Click OK in the Properties dialog box, and close the Network Connections window.

Note: The last step for prepping W2K8 for AD is adding the proper Server Role. The “Active Directory Domain Services” Role will be added. This only installs the framework for W2K8 to become a DC and run AD. It does not promote the server to DC or install AD.

Add the Active Directory Domain Services Role

Adding the Active Directory Domain Services role installs the framework for Windows Server 2008 to become a DC and run AD DS. It does not promote the server to a DC or install AD DS.

1. In the Server Manager window, open the Roles directory and in the Roles Summary section, click Add Roles.
2. On the Before You Begin page of the Add Roles Wizard, click Next.
3. On the Select Server Roles page, select the Active Directory Domain Services check box, and then click Next on this page and on the Confirmation page.
   
   
4. On the Installation Progress page, click Install. 
   
5. On the Results page, after the role is successfully added, click Close.

Enable the Remote Registry

1. Open the Server Manager window if it is not already open. 
2. In the Properties area of the Local Servers page, click Remote Managemen. 
3. Select the Enable remote management of this server from other computers check box.

Install Active Directory Domain Services (DCPROMO)

Now that you have prepared the server, you can install AD DS.
Tip: As an alternative to performing steps 1 through 3, you can type dcpromo.exe at the command prompt. Then, skip to step 4.

1. If it is not already open, open the Server Manager window.
2. Select Roles > Active Directory Domain Services.
3. In the Summary section,click Run the Active Directory Domain Services Installation Wizard (dcpromo.exe).
   
4. On the Welcome page of the Active Directory Domain Services Installation Wizard, ensure that the Use advanced mode installation check box is cleared, and then click Next.
   
   
5. On the Operating System Capability page, click Next.
   
   
6. On the Choose a Deployment Configuration page, select Create a new domain in a new forest and then click Next.
   
   
7. On the Name the Forest Root Domain page, enter the domain name that you choose during preparation steps. Then, click Next.
   
   
8. After the installation verifies the NetBIOS name, on the Set Forest Functional Level page, select Windows Server 2008 R2 in the Forest function level list. Then, click Next.
   
   The installation examines and verifies your DNS setting.
   
9. On the Additional Domain Controller Options page, ensure that the DNS server check box is selected, and then click Next.
   
   
10. In the message dialog box that appears, click Yes.
    
    
11. On the Location for Database, Log Files, and SYSVOL page, accept the default values and then click Next.
    
    
12. On the Directory Services Restore Mode Administrator Password page, enter the domain administrator password that you chose during the preparation steps. This is not your admin password that was emailed to you during the creation of your server, although you can use that password if you want to. Then, click Next.
    
    
13. On the Summary page, review your selections and then click Next.
    The installation begins.
    
    
14. If you want the server to restart automatically after the installation is completed, select the Reboot on completion check box.
    
    
15. If you did not select the Reboot on completion check box, click Finish in the wizard. Then, restart the server. 
    
    
16. After a few minutes, reconnect to your server by using the Console in your Control Panel or RDP.
    
17. To log in, perform the following steps:
        a.  Click Switch User, and then click Other User.    b.  For the user, enter the full domain name that you chose, followed by a back slash and Administrator.
        c.  Enter the password that was emailed to you when you first built the server. If you changed your password
              for the local admin account to this server before you began the installation of AD   DS, use that password.
        d.  Click the log in button.
    

The installation of Active Directory Domain Services on your server is complete.