Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Configuring and Using Active Directory Certificate Services (part 3) - Considerations for the Use and Management of AD CS & Working with Enterprise PKI

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
11/16/2011 3:29:43 PM

3. Considerations for the Use and Management of AD CS

Active Directory Certificate Services role services are managed by using MMC snap-ins.

Table 1. AD CS Management Tools
TOOLUSAGELOCATION
Certification AuthorityTo manage a certificate authority.Server Manager
CertificatesTo manage certificates. This snap-in is installed by default.Custom MMC snap-in
Certificate TemplatesTo manage certificate templates.Server Manager
Online ResponderTo manage an OR.Server Manager
Enterprise PKITo manage the entire PKI infrastructure.Server Manager
CertutilTo manage PKI functions from the command line.Command prompt
Windows PowerShellTo automate PKI functions in your AD CS deployment.Administrative Tools program group


Note:

INSTALL THE SNAP-IN WITHOUT INSTALLING AD CS

The snap-in listed in Table 1 can be installed by using Server Manager and selecting the AD CS tools under Remote Server Administration Tools. If the computer from which you want to perform remote administration tasks is running Windows 7, you can obtain the Remote Server Administration Tools from the Microsoft Download Center at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d.



Note:

MORE INFO WINDOWS POWERSHELL AND AD CS

Windows PowerShell provides some support for the automation of AD CS operations. For examples of the types of operations you can perform through Windows PowerShell with AD CS, go to http://social.technet.microsoft.com/wiki/contents/articles/active-directory-certificate-services-ad-cs-powershell-examples.aspx.


As you work with AD CS, you will see that it provides a great amount of information through the Event Log. Table 2 lists the most common events for AD CS certificate authorities.

Table 2. Common Certificate Authority Event IDs
CATEGORYEVENT IDDESCRIPTION
AD CS Access Control39, 60, 92Related to insufficient or inappropriate use of permissions.
AD CS and AD DS24, 59, 64, 91, 93, 94, 106, 107Related to access (read or write) for AD DS objects.
AD CS Certificate Request (Enrollment) Processing3, 7, 10, 21, 22, 23, 53, 56, 57, 79, 80, 97, 108, 109, 128, 132One element for certificate enrollment to succeed is missing: valid CA certificate, certificate templates with proper configuration, client accounts, or certificate requests.
AD CS Certification Authority Certificate and Chain Validation27, 31, 42, 48, 49, 51, 58, 64, 100, 103, 104, 105Related to availability, validity, and chain validation for a CA certificate.
AD CS Certification Authority Upgrade111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 125, 126Related to upgrading certificate authorities from an earlier version of Windows to Windows Server 2008 R2, and can indicate configuration options or components that need to be reconfigured.
AD CS Cross-Certification99, 102Related to the cross-CA certificates created to establish relationships between the original certificate and the renewed root.
AD CS Database Availability17Related to CA database access issues.
AD CS Exit Module Processing45, 46Related to the exit module functions: publish or send email notification.
AD CS Key Archival and Recovery81, 82, 83, 84, 85, 86, 87, 88, 96, 98, 127Related to key recovery agent certificates, exchange (XCHG) certificates and keys, or that one or all of these components are missing.
AD CS Performance Counters Availability110Related to performance counters that cannot be started.
AD CS Policy Module Processing9, 43, 44, 77, 78Related to problems detected with a policy module.
AD CS Program Resource Availability15, 16, 26, 30, 33, 34, 35, 38, 40, 61, 63, 89, 90Related to the availability of system resources and operating system components.
AD CS Registry Settings5, 19, 20, 28, 95Related to the corruption or deletion of configuration settings in the registry.
AD CS Online Responder16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 29, 31, 33, 34, 35Related to Online Responder service dependencies.

Rely on the contents of Table 2 to quickly identify the area that an issue relates to so that you can resolve it faster.


Note:

MORE INFO AD CS EVENT IDs

To find more information on event types, read the information at http://technet2.microsoft.com/windowsserver2008/en/library/688d1449-3086-4a79-95e6-5a7f620681731033.mspx.


4. Working with Enterprise PKI

One of the most useful tools in an AD CS infrastructure is Enterprise PKI, or PKIView from the command line, which is the Enterprise PKI node under Active Directory Certificate Services in Server Manager. Enterprise PKI can be used for several AD CS management activities. Basically, Enterprise PKI gives you a view of the status of your AD CS deployment and allows you to view the entire PKI hierarchy in your network and drill down into individual CAs to quickly identify issues with the configuration or operation of your AD CS infrastructure.

Enterprise PKI is mostly used as a diagnostic and health view tool because it displays operational information about the members of your PKI hierarchy. In addition, you can use Enterprise PKI to link to each CA quickly by right-clicking the CA name and clicking Manage CA. This launches the Certification Authority console for the targeted CA.

From the Actions pane, you can also gain access to the Templates console (Manage Templates) as well as the Certificate Containers in Active Directory Domain Services (Manage AD Containers). The latter, shown in Figure 2, allows you to view the contents of each of the containers in a directory used to store certificates for your PKI architecture.

Rely on Enterprise PKI to check AD CS health status visually. Its icons give you immediate feedback on each component of your infrastructure, showing green when all is healthy, yellow when minor issues are found, and red when critical issues arise.

Figure 2. Viewing the AD containers through Enterprise PKI

Other -----------------
- Windows Server 2003 : The Security Configuration Wizard
- Windows Server 2003 : Understanding Security Considerations
- Microsoft Content Management Server : Moving Postings
- Microsoft Content Management Server : Copying Postings
- Upgrading to Systems Management Server 2003 - Upgrading a Primary Site & Upgrading a Secondary Site
- Exchange Server 2007 : Securing Access to ActiveSync Using Internet Security and Acceleration (ISA) Server 2006
- Exchange Server 2007 : Working with ActiveSync Policies
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 3)
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 2)
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 1) - Create Web Listener
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server