How to have a windows 2003 and 2008 server and use one certificate authority.
I have a Windows 2003 Server with Active Directory and Certificate Authority and a Windows 2008 Server with Active Directory and Certificate Authority both with Enterprise Certificates setup that I use for testing. I would like to Turn off Certificates
Authority on my 2003 Server by stopping Certificate Services so that I would only need one Certificate Authority. How could I use only my 2008 Certificate Authority and use it for my 2008 and 2003 Pilicies and Users in Active Directory.
The reason I want to do this is because I have VM's with windows XP, 7 and Vista Users for my Users on Windows 2003 Servers and I don't want to make a seperate set of Windows VM's for my 2008 Server setup with different Certificate Authority. If I can
use on setof VM 's and use the same certificates for both servers it would make my setup less complex.Skier
October 3rd, 2011 8:27pm
Do you mean you have two domains in two different forests or is it just two DCs in the same domain/forest?
If your servers are all members of the same domain then there is no need to have more than one CA to service all domain memebers with certificates regardless the version of operating system.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2011 1:17am
Hasain,
Basically the 2003 Server and the 2008 Server are setup pretty much the same except the Certificate Authority are different. They both use the same domain SQA.net. This was setup when I had more PC's to use for testing. Now we have
moved to the Dell Poweredge T410 PC which I use to setup all of my VM's using Oracle VM VirtualBox Manager with multiple Nic Cards. Now we have moved to the VM Model I need to consolidate my VM's for authenticating users. Therefore like you said
there is no need to have more than one CA. What would I need to do in order to setup my CA on my 2008 Server so it can be used for both my 2003 and 2008 Server plus all my Users? I haven't found any documentation on how to go about this. Plus
if I remove certificate authority on my 2003 Server then how do I get the Certificates on my 2003 Server that I use when I set up Policies in IAS?Skier
October 4th, 2011 9:25am
The Windows Server 2008 CA is fully backward compatible with downstream clients and you do not need to configured any specials for that.
To automatically manage the IAS server certificate:
Make sure the IAS server is registered in active directory http://technet.microsoft.com/en-us/library/cc780214(WS.10).aspx
Configure a certificate template and enable autoenrollment for the IAS server certificate http://technet.microsoft.com/en-us/library/cc754198.aspx
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 4th, 2011 1:00pm
Hasain,
Thanks for the info I feel I am getting close to success.
I did this on my 2003 Server
Make sure the IAS server is registered in active directory http://technet.microsoft.com/en-us/library/cc780214(WS.10).aspx
I did this on my 2008 Server
Configure a certificate template and enable autoenrollment for the IAS server certificate http://technet.microsoft.com/en-us/library/cc754198.aspx
When I create the template do I need to select Publish certificate in Active Directory under the General Tab?
Now what is the next step to getting the 2008 CA to work on my 2003 Server?
When you go to IAS>Remote Access Policy> Select Policy>Double-Click> Edit Profile>Authentication>EAP Methods>Select Edit
Highlight SmartCard or other certificate and select edit It says Certificate Issued.
How do I get it to allow me to select my 2008 Server R2 CA?
Currently I am only allowed to select my 2003 CA
Then The next question would be getting the Certificate onto my PC when I want to join the 2003 Server Doamin? I am assuming it will know what to use.
Thanks for all your help,
Scott
ps.
Basically we are just trying to use a 2003 IAS server and a 2008 NP server with the same certificates for the supplicants.Skier
October 4th, 2011 4:27pm
When I create the template do I need to select Publish certificate in Active Directory under the General Tab?
....
When you go to IAS>Remote Access Policy> Select Policy>Double-Click> Edit Profile>Authentication>EAP Methods>Select Edit
Highlight SmartCard or other certificate and select edit It says Certificate Issued.
How do I get it to allow me to select my 2008 Server R2 CA?
Currently I am only allowed to select my 2003 CA
Then The next question would be getting the Certificate onto my PC when I want to join the 2003 Server Doamin? I am assuming it will know what to use.
Thanks for all your help,
Scott
ps.
Basically we are just trying to use a 2003 IAS server and a 2008 NP server with the same certificates for the supplicants.
Skier
You do not need to publish the IAS certificate in AD.
You should see and select the certificate issued by your 2008 CA in the list and not the 2008 CA certificate it self, the reason you have the 2003 CA in the list is because your IAS is running on the same machine as the CA!
If the certificate is not there, you probably need to restart your IAS server because the Register in Active Directory is adding the server account to a new security group. After that Autoenrollment will take care of the new server certificate
and you should receive a new certificate from the 2008 to select in the certificate list.
All members in the domain are going to trust the enterprise CA automatically, the only requirement to get this done is domain membership in the same domain.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 12:20am
Hasian,
Thanks for the feedback. So far I am not seeing the 2008 CA in the issued by on my 2003 Server. My domain is SQA.net on both servers. I was wondering if I need to remove the old Certificate Authority on my 2003 Server in order for this
to work. I am going to double check my steps but so far no luck.Skier
October 5th, 2011 9:13am
Autoenrollment is not going to re-enroll the same template if you already have a certificate based on that template.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2011 12:05pm
I am sorry I am confused with your last statement. So do I need to remove the certificate authority on my 2003 Server R2 before I do anything?Skier
October 5th, 2011 12:35pm
Hi Hasain,
I decommissioned and removed the Certificate Authority from the 2003 Server and I am still not having any luck?
Here are my steps maybe I am missing something.
2003 Server Setup:
Open Internet Authentication Service.
Right-click Internet Authentication Service, and then click
Register Server in Active Directory. When the Register Internet Authentication Service in Active Directory dialog box appears, click
OK. Open Command Prompt.
At the command prompt, type netsh ras add registeredserver Domain IASServer, where
Domain is the DNS domain name of the domain and IASServer is the name of the IAS server computer.
2008 Server R2
To configure the certificate template and auto-enrollment
On the computer where Active Directory Certificate Services is installed, click
Start, click Run, type mmc, and then click
OK.
On the File menu, click Add/Remove Snap-in. The
Add or Remove Snap-ins dialog box opens.
In Available snap-ins, double-click Certification Authority. Select the CA that you want to manage, and then click
Finish. The Certification Authority dialog box closes, returning to the
Add or Remove Snap-ins dialog box.
In Available snap-ins, double-click Certificate Templates, and then click
OK.
In the console tree, click Certificate Templates. All of the certificate templates are displayed in the details pane.
In the details pane, click the RAS and IAS Server template.
On the Action menu, click Duplicate Template. In the
Duplicate Template dialog box, select the template version appropriate for your deployment, and then click
OK. The new template properties dialog box opens.
On the General tab, in Display Name, type a new name for the certificate template or keep the default name.
Click the Security tab. In Group or user names, click
RAS and IAS Servers.
In Permissions for RAS and IAS servers, under Allow, select the
Enroll and Autoenroll permission check boxes, and then click
OK.
Double-click Certification Authority, double-click the CA name, and then click
Certificate Templates. On the Action menu, point to
New, and then click Certificate Template to Issue. The
Enable Certificate Templates dialog box opens.
In Enable Certificate Templates, click the name of the certificate template you just configured, and then click
OK. For example, if you did not change the default certificate template name, click
Copy of RAS and IAS Servers, and then click OK.
On the computer where Active Directory Domain Services (AD DS) is installed, click
Start, click Run, type mmc, and then click
OK.
On the File menu, click Add/Remove Snap-in. The
Add or Remove Snap-ins dialog box opens.
In Available snap-ins, double-click Group Policy Management Editor. The
Select Group Policy Object wizard opens. Click Browse, and then select the
Default Domain Policy. Click OK, click
Finish, and then click OK again.
Double-click Default Domain Policy. Open Computer Configuration,
Policies, Windows Settings, Security Settings, and then select
Public Key Policies.
In the details pane, double-click Certificate Services Client - Auto-Enrollment. The
Certificate Services Client - Auto-Enrollment Properties dialog box opens.
In the Certificate Services Client - Auto-Enrollment Properties dialog box, in
Configuration Model, select Enabled.
Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
Select the Update certificates that use certificate templates check box, and then click
OK
From there I should be able to go to my 2003 Server
Select Internet Authentication Service > Remote Access Policy> My EAP-TLS Policy with Certificates
Double click EAP-TLS Policy > Edit Profile > Authentication > EAP Methods > Select Smart Card or certificate > Select Edit and I should see the issued to for the 2008 Server CA
That this point I am getting an error that certificate cannot be found.
Any ideas? I seem to be missing a step
Thanks Scott
Skier
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 10:22am
The steps are just fine!
If you request the certificate manually:
Start MMC and add the Certificate snap-in and select the computer account and the local computer
In MMC, expand Certificates - Local Computer Right-click Personal and point to All tasks, and then click Request New Certificate
On the Certificate Types page, locate the "RAS and IAS Server" template in the Certificate types list, and then click Next until Finish
/Hasain
October 6th, 2011 1:04pm
Hasain,
For some reason when I do a MMC I am not seeing the certificate template RAS and IAS Server. I am going to investigate.
I should also be able to reverse the procedure between my 2003 and 2008 Server?
Thanks for all your help,
ScottSkier
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2011 3:32pm
Hasain,
If I do the steps below I do not see the certificate in the list. Is there some troubleshooting steps I can do to see why the certificate is not present.
Thanks
Scott
If you request the certificate manually:
Start MMC and add the Certificate snap-in and select the computer account and the local computer
In MMC, expand Certificates - Local Computer Right-click Personal and point to All tasks, and then click Request New Certificate
On the Certificate Types page, locate the "RAS and IAS Server" template in the Certificate types list, and then click Next until Finish
Skier
October 14th, 2011 9:32am
Can you try the following commands on your server:
certutil -adtemplate
certutil -catemplates
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2011 9:44am
Here is the information from the certutil command. I couldn't get it to work from the 2008 CA to the 2003 Server so I am trying now from the 2003CA to the 2008 Server since they should be backward compatible.
2008 Server
C:\Users\Administrator>certutil -adtemplate
Administrator: Administrator -- Auto-Enroll: Access is denied.
CA: Root Certification Authority -- Auto-Enroll: Access is denied.
CAExchange: CA Exchange -- Auto-Enroll: Access is denied.
CEPEncryption: CEP Encryption -- Auto-Enroll: Access is denied.
ClientAuth: Authenticated Session -- Auto-Enroll: Access is denied.
CodeSigning: Code Signing -- Auto-Enroll: Access is denied.
CrossCA: Cross Certification Authority -- Auto-Enroll: Access is denied.
CTLSigning: Trust List Signing -- Auto-Enroll: Access is denied.
DirectoryEmailReplication: Directory Email Replication -- Auto-Enroll: Access is denied.
DomainController: Domain Controller -- Auto-Enroll: Access is denied.
DomainControllerAuthentication: Domain Controller Authentication -- Auto-Enroll: Access is denied.
EFS: Basic EFS -- Auto-Enroll: Access is denied.
EFSRecovery: EFS Recovery Agent -- Auto-Enroll: Access is denied.
EnrollmentAgent: Enrollment Agent -- Auto-Enroll: Access is denied.
EnrollmentAgentOffline: Exchange Enrollment Agent (Offline request) -- Auto-Enroll: Access is denied.
ExchangeUser: Exchange User -- Auto-Enroll: Access is denied.
ExchangeUserSignature: Exchange Signature Only -- Auto-Enroll: Access is denied.
IPSECIntermediateOffline: IPSec (Offline request) -- Auto-Enroll: Access is denied.
IPSECIntermediateOnline: IPSec -- Auto-Enroll: Access is denied.
KerberosAuthentication: Kerberos Authentication -- Auto-Enroll: Access is denied.
KeyRecoveryAgent: Key Recovery Agent -- Auto-Enroll: Access is denied.
Machine: Computer -- Auto-Enroll: Access is denied.
MachineEnrollmentAgent: Enrollment Agent (Computer) -- Auto-Enroll: Access is denied.
OCSPResponseSigning: OCSP Response Signing -- Auto-Enroll: Access is denied.
OfflineRouter: Router (Offline request) -- Auto-Enroll: Access is denied.
RASAndIASServer: RAS and IAS Server -- Auto-Enroll: Access is denied.
SmartcardLogon: Smartcard Logon -- Auto-Enroll: Access is denied.
SmartcardUser: Smartcard User -- Auto-Enroll: Access is denied.
SQAComputerCertificate: SQA Computer Certificate -- Auto-Enroll
SQAIxNetworksCertificate: SQA IxNetworks Certificate -- Auto-Enroll
SQAUserCertificate: SQA User Certificate -- Auto-Enroll
SubCA: Subordinate Certification Authority -- Auto-Enroll: Access is denied.
User: User -- Auto-Enroll: Access is denied.
UserSignature: User Signature Only -- Auto-Enroll: Access is denied.
WebServer: Web Server -- Auto-Enroll: Access is denied.
Workstation: Workstation Authentication -- Auto-Enroll: Access is denied.
CertUtil: -ADTemplate command completed successfully.
C:\Users\Administrator>certutil -catemplates
SQAIxNetworksCertificate: SQA IxNetworks Certificate -- Auto-Enroll
SQAComputerCertificate: SQA Computer Certificate -- Auto-Enroll
SQAUserCertificate: SQA User Certificate -- Auto-Enroll
DirectoryEmailReplication: Directory Email Replication -- Auto-Enroll: Access is denied.
DomainControllerAuthentication: Domain Controller Authentication -- Auto-Enroll: Access is denied.
EFSRecovery: EFS Recovery Agent -- Auto-Enroll: Access is denied.
EFS: Basic EFS -- Auto-Enroll: Access is denied.
DomainController: Domain Controller -- Auto-Enroll: Access is denied.
WebServer: Web Server -- Auto-Enroll: Access is denied.
Machine: Computer -- Auto-Enroll: Access is denied.
User: User -- Auto-Enroll: Access is denied.
SubCA: Subordinate Certification Authority -- Auto-Enroll: Access is denied.
Administrator: Administrator -- Auto-Enroll: Access is denied.
CertUtil: -CATemplates command completed successfully.
2003 Server
C:\Documents and Settings\Administrator>certutil -catemplates
2003RASandIASServer: 2003 RAS and IAS Server
SQAIxNetworksCertificate: SQA IxNetworks Certificate
SQAComputerCertificate: SQA Computer Certificate
SQAUserCertificate: SQA User Certificate
DirectoryEmailReplication: Directory Email Replication
DomainControllerAuthentication: Domain Controller Authentication
EFSRecovery: EFS Recovery Agent
EFS: Basic EFS
DomainController: Domain Controller
WebServer: Web Server
Machine: Computer
User: User
SubCA: Subordinate Certification Authority
Administrator: Administrator
CertUtil: -CATemplates command completed successfully.
C:\Documents and Settings\Administrator>Skier
October 17th, 2011 7:44pm
According to the results above, the RAS & IAS server is not enabled/published on your 2008 CA!
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 18th, 2011 9:14am
Hi Hasain,
Ok so it sounds like this is the step I am missing. So are you referring to the RAS and IAS Server Template on my 2008 Server? I thought I only needed to do this on my 2003 Server and they would automatically enroll on my 2008 Server? The same
would apply if I was doing 2008CA to my 2003 Sever.
Or do I need to do this step on all my servers? Can you walk me through what I need to do on my 2008 server?
Thanks
ScottSkier
October 18th, 2011 5:07pm
You previously wrote that the 2003 CA was decommissioned and removed from the 2003 server then the only CA left is the 2008 CA and if it is not having the RAS and IAS template published you will not be able to get any certificates based on that
template from this CA.
Additionally there is a difference in the AD template list between your 2003 and 2008 servers. The 2003RASandIASServer: 2003 RAS and IAS Server template is missing from the AD template list on 2008 but present on your 2003 CA templates! That leads
me into the question if the two servers really are part of the same domain?
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2011 1:11am
The servers are on the same domain but they were made independently. I am going to check DNS and make sure it has an entry in there for the other server.Skier
October 19th, 2011 4:13pm
The servers are on the same domain but they were made independently...
What do you mean by that?
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2011 1:05am
Hasain,
Since we have switched from having multiple PC's to have one PC (Dell Poweredge T410) with Oracle VM VirtualBox Manager. Here is where I created all my servers and clients seperately. I had a Windows 2003 Server R2 Server 64 bit created
with Certificate Authority and I also created another VM with Windows 2008 Server R2 64 bit with Certificate Authority. I created them both using the SQA.net Domain. Usually in the past when I created them on a PC it would detect that there was
another server on the Network making the second server a backup. When I created the 2008 Server it never detected the 2003 server on the network. Therefore they are the same domain but it is like having two seperate Primary servers.
ScottSkier
October 20th, 2011 8:53am
Ok, based on your description you actually have two separate forests with the same domain name in each. This means the servers can never communicate with each others nor function in a domain context as members of the same domain.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2011 10:52am
What would I need to do to make these two servers communicate? Is this as simple as adding a trust to windows 2008 Server R2 and would I also need to do this on my 2003 Server? Or is it just adding DNS to the existing Forward Lookup zone SQA.net
on both servers?
http://www.misdivision.com/blog/how-to-create-a-trust-in-windows-server-2008-r2
First
Step:
To specify other DNS servers as authoritative for a zone using the Windows interface
1.
Open DNS Manager. To open DNS Manager, click
Start, point to Administrative Tools, and then click
DNS.
2.
In the console tree, right-click the applicable zone, and then click
Properties.
3.
Click the
Name Servers tab.
4.
Click
Add.
5.
Specify additional DNS servers by their names and IP addresses, and then click
Add to add them to the list.
2<sup>nd</sup> Step:
Modify Zone Transfer Settings
Updated: May 9, 2008
You can use this procedure to control whether a Domain Name System (DNS) zone will be transferred to other servers
and which servers can receive the zone transfer. You can complete this procedure using either the DNS Manager snap-in or the
dnscmd command-line tool.
Membership in
Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
Modifying zone transfer settings
To modify zone transfer settings using the Windows interface
1.
Open DNS Manager. To open DNS Manager, click
Start, point to Administrative Tools, and then click
DNS.
2.
Right-click a DNS zone, and then click
Properties.
3.
On the
Zone Transfers tab, do one of the following:
·
To disable zone transfers, clear the
Allow zone transfers check box.
·
To allow zone transfers, select the
Allow zone transfers check box.
4.
If you allowed zone transfers, do one of the following:
·
To allow zone transfers to any server, click
To any server.
·
To allow zone transfers only to the DNS servers that are listed on the
Name Servers tab, click Only to servers listed on the Name Servers tab.
·
To allow zone transfers only to specific DNS servers, click
Only to the following servers, and then add the IP address of one or more DNS servers.
Additional considerations
To improve the security of your DNS infrastructure, allow zone transfers only for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS
servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server.
Thanks
ScottSkier
October 21st, 2011 1:42pm
It is not possible to have a trust between two domains sharing the same namespace!
The simplest way is to remove one of the domains and join the other server to the remaining one. As I understand from your description you need to solve the problem with your virtualbox to enable the systems to communicate first.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 2:04pm
It is not possible to have a trust between two domains sharing the same namespace!
The simplest way is to remove one of the domains and join the other server to the remaining one. As I understand from your description you need to solve the problem with your virtualbox to enable the systems to communicate first.
/Hasain
October 21st, 2011 9:01pm
I will remove the 2003 Domain and re add it to see if that works.Skier
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2011 4:50pm
Hi Hasain,
Removing the 2003 Doamin and then rerunning dcpromo works but the only thing I don't like is that.
1. All the users are the same on both servers.
2. Any changes to the user gets replicated on the other server.
I would really like to create some different users on each server so that I will know which server is being used.
The only thing that would be the same would be the Certificate being used.
Thanks
ScottSkier
November 1st, 2011 7:46pm
On option is to setup different domains in the same forest and use one single CA in any of the domains to enroll certificates to both domains.
Another option is to setup two different forests with a trust and use cross-forest enrollment.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2011 2:05am
Hi Hasain,
I am going to talk to some of my co-workers and see what options will work best for our Testing purposes. But first I want to make sure I have my facts straight.
1. My first option is to remove the domain and re adding it. This will make my 2003 Server a backup server and my users will be replicated to both servers and they will use the same CA.
2. My second option is to setup two different forests with a trust and use cross-forest enrollment.
Now if I do that I will still need to run dcpromo and rather than using the FQDN 2003ServerR2.SQA.net I would use 2003ServerR2.test.SQA.net and my 2008 Server R2 would still be 2008ServerR2.SQA.net. Also if I do this option I will be able to use the
same Certificates on both servers but I will be able to have different users setup on each servers. But since I changed my domain 2003ServerR2.SQA.net to 2003ServerR2.test.SQA.net I will need to have seperate VM's setup for each servers in order to do
authentication. Would that be true? If that is the case I may just lean towards creating a backup server as we previously discussed.
Thanks for all your help.
Skier
November 7th, 2011 10:55am
Both options gives you the result of having one enterprise CA to issue all certificates. But having two forests (option 2) with a trust and setting up cross-forest enrollment is a far more complex solution than just having both servers in the same domain!
A third option is to have two domains in the same forest making it possible to use the same enterprise CA with a less complex setup than using a cross-forest deployment.
In any case you need to have two VMs for your two servers but you do not need to have the VMs on separate servers just because they do belong to different domains!
You should consider the option that reflects you production deployment to have a realistic test.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
November 7th, 2011 2:01pm