freakinrich
Solid State Member
- Messages
- 8
- Location
- UK
Hi All!,
This is my first post here - I've run into a problem while studying Active Directory Certificate Services (AD CS) and was hoping that someone out there may be able to help me.
I'm trying to complete a Lab lesson from Microsoft Training Kit 70-640 (Chapter 15 Lessons 1-2).
The aim is to follow the step by step guide to installing a Root CA, then a subordinate CA and configure them to work.
I have followed the instructions to the T apart from some un-controllable variables and I don't know if they are the issue.
Heres the set up required (with my variations noted)
Three Servers: x2 2008 R2 Enterprise edition and x1 2008R2 Standtard
SERVER01 = The domain controller (Enterprise)
SERVER03 = The Root CA (Server standard)
SERVER04 = The issuing CA (Enterprise)
The guide advises that servers 03 and 04 are "member servers" so they should be a part of the domain (contoso.com).
Heres my first question. The Root CA should not be a member of the domain as its going to be locked up for years in a safe, but the exercise gets to you add both servers. I'm not sure why its very contradictory.
Other differences are that Root CA is on Windows server 2008, (not R2). On that note the Domain is on Forest Func 2008 and domain is 2008 too.
Once all servers are members of the domain I proceed to installing the Root CA only as a stand alone server with a new private key and select all the defaults except for changing the certificate to a 20 validity.
Next I install the Issuing CA as a subordinate CA, and export the .req file. The online res-ponder gets installed at this stage so IIS is also installed.
I go back to the Root CA and submit the request and issue the certificate.
I then copy the certificate to file and take it back to the Issuing CA.
I install the new CA certificate and start the CA Service.
At this point to Root CA shows errors on the AIA Location 2 and the the CDP Location 2. These errors should be there at this point and are "corrected" in the next step.
I proceed to managing the Root CA from the console, and going to properties and then the Extensions tab.
I select the CDP in the drop down box and then clear the check boxes for the http:// row only. I then select AIA from the DDmenu and select http:// row again and clear the check boxes.
I click OK and the AD CS is restarted and the errors are supposed to disappear.
I've watched CBT nuggets on this, I've re-searched google I've tried to get my head around why the errors are still there even when I've configured it not to use http to look for the CRL.
Any help or guidance or reference to learning material on the issue would be much appreciated.
Any further info required just ask...
Thanks in Advance.
Rich
This is my first post here - I've run into a problem while studying Active Directory Certificate Services (AD CS) and was hoping that someone out there may be able to help me.
I'm trying to complete a Lab lesson from Microsoft Training Kit 70-640 (Chapter 15 Lessons 1-2).
The aim is to follow the step by step guide to installing a Root CA, then a subordinate CA and configure them to work.
I have followed the instructions to the T apart from some un-controllable variables and I don't know if they are the issue.
Heres the set up required (with my variations noted)
Three Servers: x2 2008 R2 Enterprise edition and x1 2008R2 Standtard
SERVER01 = The domain controller (Enterprise)
SERVER03 = The Root CA (Server standard)
SERVER04 = The issuing CA (Enterprise)
The guide advises that servers 03 and 04 are "member servers" so they should be a part of the domain (contoso.com).
Heres my first question. The Root CA should not be a member of the domain as its going to be locked up for years in a safe, but the exercise gets to you add both servers. I'm not sure why its very contradictory.
Other differences are that Root CA is on Windows server 2008, (not R2). On that note the Domain is on Forest Func 2008 and domain is 2008 too.
Once all servers are members of the domain I proceed to installing the Root CA only as a stand alone server with a new private key and select all the defaults except for changing the certificate to a 20 validity.
Next I install the Issuing CA as a subordinate CA, and export the .req file. The online res-ponder gets installed at this stage so IIS is also installed.
I go back to the Root CA and submit the request and issue the certificate.
I then copy the certificate to file and take it back to the Issuing CA.
I install the new CA certificate and start the CA Service.
At this point to Root CA shows errors on the AIA Location 2 and the the CDP Location 2. These errors should be there at this point and are "corrected" in the next step.
I proceed to managing the Root CA from the console, and going to properties and then the Extensions tab.
I select the CDP in the drop down box and then clear the check boxes for the http:// row only. I then select AIA from the DDmenu and select http:// row again and clear the check boxes.
I click OK and the AD CS is restarted and the errors are supposed to disappear.
I've watched CBT nuggets on this, I've re-searched google I've tried to get my head around why the errors are still there even when I've configured it not to use http to look for the CRL.
Any help or guidance or reference to learning material on the issue would be much appreciated.
Any further info required just ask...
Thanks in Advance.
Rich
