I have some general questions about installing active directory services, mostly for Certificate Authority and web enrollment. What do I need to know first about installing these? What are some of the issues that come about and what are the problems that could arrive after installing this? Thanks any help is appreciated Other information I can provide is: Windows server 2008 standard, domain and server names already created, web site is provided by go daddy, I have no test environment in my network and domain so this will be live when created, Thanks T_Chambers New to forum

Installing an in-house PKI takes a lot of consideration and planning. Before anyone can suggest on specific points, some details are required, like: What application would you like to support by in-house ADCS? How many forests and domains are there in your network? As you said- web-site cert is provided by Go-daddy, do you want to replace that with internal one? Is that an internal website or public? For your general understanding you can go through the step-by-step implementation guide at http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx. Detailed description along with planning, design and troubleshooting is available at http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspx. Please provide more information so that specific answer can be given.Manoj

You need to discuss and establish a PKI design that maps the needs you have today and the expected future needs. The good thing about ADCS and PKI integration in Active Directory is that you can easily change the PKI services in AD and run multiple parallel PKI structures simultaneously. There should not be any issues or problems just by implementing an enterprise PKI in AD specially before beginning using or issuing certificates to servers and clients. The effect of introducing a new enterprise PKI to AD is very similar to trusting a new external PKI. Certificates in AD is controlled using certificate templates, based on that the effect of having a enterprise CA is controlled by the number and type of certificate templates and the security permissions of the templates. A couple of good staring points: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure http://www.microsoft.com/download/en/details.aspx?id=20677, all discussions in this document applies to 2008/2008R2 as well. Active Directory Certificate Services and Public Key Management http://technet.microsoft.com/en-us/library/cc753828.aspx /Hasain

Hello Manoj, On the questions that you have provided me with: What I want to support is a SSL VPN connection, applications or roles that Im running are, IIS, Active Directory, DHCP, DNS, Print services, and File services. I have one local domain in my network. Also the question with web site is provided by go daddy and this is a public website (non profit). Thanks for your knowledge on this and any further help provided. T_Chambers

Hello Hasain, I do appreciate the information you have shared with me, I will look into the starting points that you have provided as well. Thanks again T_Chambers

Well, as you are planning to support many applications, it would be better if you first refer to Microsoft links provided by Hasain and me. Some notes: If you are planning to support Windows 2000/XP/2003 clients then you need to be careful not to use features exclusively supported by Windows 2008/Windows 7 (like version 3 templates, SHA256 or above hashing algo., alternative signature etc). Many people make mistakes in AIA/CDP definitions, take some care in that part. Before you implement, plan the way certificate request authorization, key export requirement etc should be handled. You must use an account which have enterprise admin and domain admin account on the root domain (as you have single domain so these accounts in your domain). Decide the CA hierarchy, no need to go for three-tier if you cannot justify the benefits. On your public website, that will continue using the certificate provided by GoDaddy. If you use local certificate, external users would not be able to validate the certificate.Manoj

Installing an in-house PKI takes a lot of consideration and planning. Before anyone can suggest on specific points, some details are required, like: What application would you like to support by in-house ADCS? How many forests and domains are there in your network? As you said- web-site cert is provided by Go-daddy, do you want to replace that with internal one? Is that an internal website or public? For your general understanding you can go through the step-by-step implementation guide at http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx. Detailed description along with planning, design and troubleshooting is available at http://technet.microsoft.com/en-us/library/cc770357(WS.10).aspx. Please provide more information so that specific answer can be given.Manoj

You need to discuss and establish a PKI design that maps the needs you have today and the expected future needs. The good thing about ADCS and PKI integration in Active Directory is that you can easily change the PKI services in AD and run multiple parallel PKI structures simultaneously. There should not be any issues or problems just by implementing an enterprise PKI in AD specially before beginning using or issuing certificates to servers and clients. The effect of introducing a new enterprise PKI to AD is very similar to trusting a new external PKI. Certificates in AD is controlled using certificate templates, based on that the effect of having a enterprise CA is controlled by the number and type of certificate templates and the security permissions of the templates. A couple of good staring points: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure http://www.microsoft.com/download/en/details.aspx?id=20677, all discussions in this document applies to 2008/2008R2 as well. Active Directory Certificate Services and Public Key Management http://technet.microsoft.com/en-us/library/cc753828.aspx /Hasain

Well, as you are planning to support many applications, it would be better if you first refer to Microsoft links provided by Hasain and me. Some notes: If you are planning to support Windows 2000/XP/2003 clients then you need to be careful not to use features exclusively supported by Windows 2008/Windows 7 (like version 3 templates, SHA256 or above hashing algo., alternative signature etc). Many people make mistakes in AIA/CDP definitions, take some care in that part. Before you implement, plan the way certificate request authorization, key export requirement etc should be handled. You must use an account which have enterprise admin and domain admin account on the root domain (as you have single domain so these accounts in your domain). Decide the CA hierarchy, no need to go for three-tier if you cannot justify the benefits. On your public website, that will continue using the certificate provided by GoDaddy. If you use local certificate, external users would not be able to validate the certificate.Manoj