Failover Clustering and Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2

8/13/2019 Failover Clustering and Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2

1/30

Failover Clustering and Active Directory CertificateServices in Windows Server 2008 andWindows Server 2008 R2

Microsoft Corporation

Published: January 2010

By Carsten B. Kinder & Mark B. Cooper

Abstract

Active Directory Certificate Services (AD CS) in Windows Server 2008 and Windows Server 2008 R2 offers

greater levels of reliability for te Certification Autority (CA) role service! "is guide details te setu#$

configuration$ and troublesooting of AD CS wit te Failover Clustering feature of Windows Server 2008 and

Windows Server 2008 R2!


2/30


3/30

he infor!ation contained in this docu!ent represents the current "ie# ofMicrosoft Corporation on the issues discussed as of the date of publication.Because Microsoft !ust respond to chan$in$ !arket conditions% it should not beinterpreted to be a co!!it!ent on the part of Microsoft% and Microsoft cannot$uarantee the accuracy of any infor!ation presented after the date of publication.

his docu!ent is for infor!ational purposes only. MC'()(* M+K,) -(+''+-,)% ,/P',)) (' MP,% +) ( , -*('M+(- - )(C3M,-.

Co!plyin$ #ith all applicable copyri$ht la#s is the responsibility of the user.

ithout li!itin$ the ri$hts under copyri$ht% no part of this docu!ent !ay bereproduced% stored in or introduced into a retrie"al syste!% or trans!itted in anyfor! or by any !eans 4electronic% !echanical% photocopyin$% recordin$% orother#ise5% or for any purpose% #ithout the e6press #ritten per!ission ofMicrosoft Corporation.

Microsoft !ay ha"e patents% patent applications% trade!arks% copyri$hts% or otherintellectual property ri$hts co"erin$ sub7ect !atter in this docu!ent. ,6cept ase6pressly pro"ided in any #ritten license a$ree!ent fro! Microsoft% the furnishin$of this docu!ent does not $i"e you any license to these patents% trade!arks%copyri$hts% or other intellectual property.

8 2009 Microsoft Corporation. +ll ri$hts reser"ed.

Microsoft% +cti"e irectory% indo#s% indo#s )er"er% and indo#s ista areeither re$istered trade!arks or trade!arks of Microsoft Corporation in the 3nited)tates and;or other countries.

he na!es of actual co!panies and products !entioned herein !ay be thetrade!arks of their respecti"e o#ners.

Configuring Certificate Services in %

Windows Server 2008


4/30

Contents

Configuring Certificate Services in 2

Windows Server 2008


5/30

Table of Contents

Contents.................................................................................................................................................. 2

Table of Contents .................................................................................................................................. 3

Introduction.............................................................................................................................................4

Sco#e!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! &

Windows 'ersions "at Su##ort Certificate Services Clustering!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&

Cluster Reuireents!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! &

Su##orted De#loyent Scenarios!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!! &

Preparing the CA Cluster Environment................................................................................................6

*nstalling te +#erating Syste on Cluster ,odes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-

Setting .# a Sared Storage!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -

Configuring a ,etwor/ S1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-

Installing and Configuring the CA Cluster....................................................................................... ....

.nderstanding ,aes .sed in a Cluster Configuration!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Setting .# te CA Server Role on te First Cluster ,ode!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3

Setting .# te CA Server Role on additional Cluster ,odes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%4

Setting .# te Failover Cluster Feature on Cluster ,odes!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%

Creating a Failover Cluster!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! %

Configuring te Failover Cluster!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%

Configuring te CR5 Distribution 6oint!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%8

Creating te CR5 +b7ects in Active Directory!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!%3

Configuring te CA in Active Directory!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!20

Ad7usting te D,S ,ae for te CA in Active Directory!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2%

Certification Authorit! "ene#als........................................................................................................ 23

Troubleshooting................................................................................................................................... 2

"elated $in%s........................................................................................................................................ 2&


Windows Server 2008


6/30

Introduction

"e Failover Clustering feature in Windows Server 2008 #rovides a ig grade of reliability tat can

now be leveraged by 1icrosoft Active DirectoryCertificate Services!

Wit 1icrosoft Windows Server 2004 and earlier versions$ ulti#le CAs ad to be de#loyed into an

infrastructure to acieve redundancy of certificate services!

Wile you can still ave ulti#le CAs o#erating in your Active Directory forest$ wit failover clustering$

tere is no need to de#loy ore tan one CA to #rotect certificate services fro une9#ected failure!

'cope

"is guide describes te ste#s reuired to set u# failover clustering wit Windows Server 2008 or

Windows Server 2008 R2 and to de#loy a CA on sared storage wit or witout a networ/ ardware

security odule (S1)!

Sared storage is always a reuireent for Failover Clustering! "e networ/ S1 ensures strong

#rotection of te CA /ey aterial and re#resents a sared /ey store at te sae tie! "e active node

can always connect to te networ/ S1 regardless of wic #ysical node te cluster runs on!

(indo#s )ersions That 'upport Certificate 'ervices Clustering

Clustering su##ort for certificate services is #rovided by te following versions of Windows!

Windows Server 2008$ :nter#rise :dition

Windows Server 2008$ Datacenter :dition

Windows Server 2008 R2$ :nter#rise :dition

Windows Server 2008 R2$ Datacenter :dition

Cluster "e*uirements

"o run certificate services in a clustered environent$ you ust understand te #rereuisites and under

wat circustances a CA cluster is su##orted!

A Cluster can onl! run a single instance of Certificate 'ervices.A failover cluster of any si;e can be

used to #rovide a ig availability environent for certificate services! owever$ 1icrosoft does not su##ort

ore tan one instance of certificate services on a cluster!

'hared storage is re*uired."o store te CA database and te log database for certificate services$ a

sared storage ust be available to all cluster nodes tat for te cluster!

'upported +eplo!ment 'cenarios

De#loying AD CS on a failover cluster can acco#lis a nuber of goals for custoer environents!

"ese goals are often deterined by e9isting certificate services servers in an environent! "ere are

a nuber of ways in wic a failover cluster can be de#loyed!

Configuring Certificate Services in &

Windows Server 2008


7/30

A co#letely new 6ublic


8/30

Preparing the CA Cluster Environment

"is section focuses on te #re#aration of te environent for Certificate Services Cluster!

Installing the -perating '!stem on Cluster odes"o #re#are te cluster nodes$ you ave to install Windows Server 2008 or Windows Server 2008 R2$

:nter#rise :dition on all cluster nodes! De#loying a failover cluster reuires all cluster nodes to run te

sae o#erating syste version!

'etting /p a 'hared 'torage

Configuring sared storage can be a co#le9 tas/! "is guide does not #rovide detailed inforation

about ow to configure te sared storage! "o set u# a sared storage dis/ for certificate services$ see

te configuration #rocedures tat a##ly for your sared storage solution!

6lan te si;e of te sared storage de#ending on te nuber of certificates you are enrolling for! -&


9/30


10/30

Configured #here "e nae of te CA is configured wen te CA service is installed! See ste# %2 in E!

/sed b! "e CA nae is #art of te CA configuration string and is dis#layed as te node nae in te

Certification Autority 1icrosoft 1anageent Console (11C) Sna#=in! "e configuration string can be

ueried at a coand line wit certutil cainfo dsname! "e nae is written into te *ssuer attribute

on every issued certificate and is also used in te following Active Directory ob7ects in te configuration

naing conte9t under Services 6ublic


11/30

'etting /p the CA 'erver "ole on the irst Cluster ode

"is section e9#lains ow to install certificate services on te first cluster node!

*t is i#ortant to understand tat te sared resources$ li/e te dis/ storage tat /ee#s te CA

database and log file$ ust be available to te CA during setu#! Releasing tese resources for setting

u# te second node is also i#ortant after te setu# of tis node is finised!

ere are te ste#s to configure te first cluster node!

%! 5og on to te cluster node wit #erissions to install te first cluster node! "o install an enter#rise

CA$ log on wit enter#rise #erissions to te Active Directory doain! "o install a stand=alone CA$

you ay log on wit local adinistrator #erissions if you do not want to register te CA in te

Active Directory configuration container!

"e ne9t ste#s describe ow to confir tat te sared dis/ is available to te node!

2! Clic/ te 'tartbutton$ #oint to "un$ ty#e servermanager.msc$ and ten clic/ -!

4! "e 'erver 1anager11C Sna#=in o#ens! :9#and te 'toragenode and select +is%

1anagement!

&! 1a/e sure tat te sared dis/ tat is used for te CA is online!

*f you are using a networ/ S1$to confir tat a networ/ S1 is available to te first node

:9#and te +iagnostics node in te left #ane of te Server 1anager Sna#=in$ and ten clic/ 'ervices!

1a/e sure tat te service tat connects to te networ/ S1 is started! Refer to te S1 vendor for service

inforation!

,ow$ you are going to install te Certificate Services on te first node!

?! *n te left #ane of te Server 1anager Sna#=in$ select te "olesnode!

-! +n te Actionenu$ clic/ Add "oles!

! +n te 'elect 'erver "oles#age$ ar/ Active +irector! Certificate 'ervices$ and ten clic/

et twice!

8! +n te 'elect "ole 'ervices#age$ a/e sure tat only Certification Authorit!is ar/ed$ and

ten clic/ et! ,o CA service oter tan te CA is su##orted in a clustered environent!

3! Select te setu# ty#e for te CA and clic/ et!

%0! Select te CA ty#e for te CA and clic/ et!

%%! Select Create a ne# private %e!and clic/ et!

*f you are using a networ/ S1$ select te cry#togra#ic service #rovider (CS6) #rovided by te S1 vendor fro te list


Windows Server 2008


12/30

and set te desired /ey lengt! Clic/ et! ,ote tis CS6 nae as you will need it in te ne9t section wen using te

certutil 5repairstorecoand!

Configuring Certificate Services in %0

Windows Server 2008


13/30

%2! :nter te CA nae and clic/ et! For ore inforation about te CA nae$ see .nderstanding

,aes .sed in a Cluster ConfigurationE!

%4! *f you are configuring a root CA$ define te validity #eriod! *f using a subordinate CA$ coose

weter to subit te reuest online or save it to a file! Clic/ et!

%&! Cange te default #ats for te database and log files to te desired location on te sared

storage drive setu# in Setting .# a Sared StorageE! Clic/ et!

%?! Clic/ Install!

As a ne9t ste#$ te CA certificate ust be e9#orted!

%-! Clic/ te 'tartbutton$ #oint to "un$ ty#e certsrv.msc$ and ten clic/ -!

%! Select te CA node in te left #ane!

%8! +n te Actionenu$ clic/ All Tas%s$ and ten clic/ ac%up CA!

%3! +n te Welcoe #age of te CA bac/u# wi;ard$ clic/ et!

20! Select Private %e! and CA certificateand #rovide a directory nae were you want to te#orarily

store te CA certificate and o#tionally te /ey! Clic/ et!

2%! 6rovide a #assword to #rotect te CA /ey and clic/ et!

22! Clic/ inish!

*f you are using a networ/ S1$ a warning essage will dis#lay telling you tat te #rivate /ey cannot be e9#orted! "is is

e9#ected beavior because te #rivate /ey will never leave te S1! Clic/ -to continue!

"e CA service ust be sut down to unloc/ te dis/ resources!

24! Wile te CA is selected in te left #ane$ on te Actionenu$ clic/ All Tas%s$ and ten clic/ 'top

'ervice!

2&! Close te Certification Autority 11C Sna# in!

Detac te sared storage fro te cluster node!

2?! >o to te 'erver 1anager11C Sna#=in$ e9#and te 'toragenode$ and ten select +is%

1anagement!

2-! Cange te state of te dis/ /ee#ing te CA database to offline!

Release te S1 fro te cluster node!

:9#and te +iagnostics node in te left #ane of te 'erver 1anagerview and clic/ 'ervices!

Select te service tat wor/s wit te S1! +n te Actionenu$ clic/ 'top!

Configuring Certificate Services in %%

Windows Server 2008


14/30

2! 5og off Cluster node one!

"e installation of te Certification Autority on te first node is now co#lete!


Windows Server 2008


15/30

'etting /p the CA 'erver "ole on additional Cluster odes

"is section e9#lains ow to set u# any additional cluster nodes!

"e configuration of te additional nodes is sligtly different fro te first node! Soe configuration

settings are already defined on te first node so tey only need to be a##lied on te oter nodes!

*nstall te CA on anoter cluster node!

%! 5og on to te cluster node wit #erissions to install te cluster node as e9#lained in Ste# %!

Confir te sared dis/ available to te cluster node!


4! "e 'erver 1anager11C Sna#=in o#ens! :9#and te 'toragenode and select +is%

1anagement!

&! 1a/e sure tat te sared dis/ tat is used for te CA is online!

*f you are using a networ/ S1$to confir tat a networ/ S1 is available to te node


1a/e sure tat te service tat connects to te networ/ S1 is started! Refer to te S1 vendor for

service inforation!

*#orting te CA certificate into te local acine certificate store!

?! Co#y te #reviously e9#orted CA certificate to te second cluster node!

-! Clic/ te 'tartbutton$ #oint to "un$ ty#e mmc$ and ten clic/ -!

! +n te ileenu$ clic/ Add7remove11C Sna#=in!

8! Select Certificatesfro te list of available sna#=ins and clic/ Add!

3! Select Computer account$ clic/ inishtwice$ and ten$ clic/ -!

%0! *n te Certificate 1anager11C Sna#=in$ e9#and te Certificates 8$ocal Computer9node and

select te Personalstore!

%%! +n te Actionenu$ clic/ All Tas%s$ and ten clic/ Import!

%2! *n te Certificate *#ort Wi;ard$ clic/ et!

%4! :nter te file nae of te CA certificate tat was #reviously created on te first node and clic/

et! *f you use te ro#sebutton to find te certificate$ cange te file ty#e to Personal

Information Exchange(*.pfx,*.p12)!

%&! "y#e te #assword tat you ave #reviously used to #rotect te #rivate /ey! "e #assword is

reuired even if tere is no #rivate /ey in te 6FG file! Do not ar/ tis /ey as e9#ortable! Clic/

et!


Windows Server 2008


16/30

%?! 6lace te certificate in te Personalcertificate store and clic/ et!

%-! "o i#ort te certificate$ clic/ inish!

%! "o confir te successful i#ort$ clic/ -!

Configuring Certificate Services in %&

Windows Server 2008


17/30

*f you are using a networ/ S1$ you ust re#air te association between te certificate and te #rivate /ey tat is

stored in te S1!

*n te Certificate 1anager11C Sna#=in$ e9#and te Personalstore and select te Certificates

container!

Select te i#orted certificate! +n te Actionenu$ clic/ -pen!

>o to te +etailstab!

Select te field 'erial umber:co#y te serial nuber to te Cli#board$ and ten clic/ -!

At a coand=line #ro#t$ ty#e

certutil re#airstore cs# HCS6 6rovidernaeE 1y IHSerialnuberI

and ten #ress ETE"!

For e9a#leJ certutil re#airstore 1y I-23bdaba-8?30bbd&88c8e0ac?bc2bI

*nstalling Certificate Services on te node

%8! Return to te 'erver 1anager11C sna#=in!

%3! *n te left #ane$ select te "olesnode!

20! +n te Actionenu$ clic/ Add "oles!

2%! +n te 'elect Server Roles#age$ ar/ Active +irector! Certificate 'ervicesand clic/ ettwice!

22! +n te 'elect Role Services#age$ a/e sure tat only Certification Authorit!is ar/ed and

clic/ et! ,o CA service oter tan te CA is su##orted in a clustered environent!

24! Select te e9act sae setu# ty#e for te CA tat you used for te first node and clic/ et!

2&! Select te e9act sae CA ty#e for te CA tat you used for te first node and clic/ et!

2?! Select /se eisting private %e!$ coose 'elect a certificate and use its associated private %e!$

ten clic/ et!

2-! Select te CA certificate tat was generated on te first node and clic/ et!

2! Cange te default #ats for te database! *n te dialog bo9 stating tat an e9isting database was

found$ select;esto overwrite it!

28! Cange te default #ats for te database log location! *n te dialog bo9 stating tat an e9isting

database was found$ select;esto overwrite it! Clic/ etto continue!

23! Clic/ Install!

40! "o finis te "oleinstallation$ clic/ Close!

Configuring Certificate Services in %?

Windows Server 2008


18/30

4%! 5og off fro te cluster node!

Configuring Certificate Services in %-

Windows Server 2008


19/30

'etting /p the ailover Cluster eature on Cluster odes

"e Failover Cluster su##ort is a feature in Windows Server 2008 :nter#rise and Datacenter :dition!

Re#eat te following ste#s on all cluster nodes tat will #otentially run te Active Directory Certificate

Services!

%! 5og on to one of te cluster nodes wit local adinistrator #erissions!


4! "e 'erver 1anager11C Sna#=in o#ens! *n te left #ane$ select te eaturesnode!

&! +n te Actionenu$ clic/ Add eatures!

?! *n te list of available features$ ar/ ailover Clusteringand clic/ et!

-! Clic/ Install!

! Clic/ Close!

Creating a ailover Cluster

%! 5og on to te cluster node tat is still attaced to te sared storage drive!

2! Clic/ te 'tartbutton$ #oint to "un$ ty#e Cluadmin.msc$ and ten clic/ -!

4! *f te efore !ou begin#age a##ears$ clic/ et!

&! :nter te cluster node nae (co#uter nae) of te first cluster node and clic/ Add! For ore

inforation about te cluster node nae$ see .nderstanding ,aes .sed in a Cluster

ConfigurationE!

?! :nter te cluster node nae of te oter cluster nodes and clic/ Add!

-! Clic/ etto continue!

! "o #erfor te validation tests$ cose;esand clic/ ettwice!

8!


20/30

&! *n te list of services and a##lications$ select


21/30

Kou ust restart te CA service after canging te CR5 and A*A!

Follow tese ste#s to a/e canges to te CR5 and A*A .R5sJ

%! 5og on to te active cluster node wit local adinistrator #erissions!

2! Clic/ te 'tartbutton$ #oint to "un$ ty#e regedit$ and ten clic/ -!

4! :9#and te following containers in te registry!


22/30

Configuring the CA in Active +irector!

Kou can #erfor te following tas/s using any co#uter in your Active Directory forest were te Active

Directory Sites and Services 11C Sna#=in and ADS* :dit are installed! "o install bot tools on

Windows Server 2008$ add te Active Directory Doain Services feature fro te Reote Server

Adinistration "ools to your server wit Server 1anager! "e A*A ob7ect in Active Directory stores te

CABs certificate!

"o enable all cluster nodes to u#date te CA certificate wen reuired$ #erfor te following ste#sJ

%! 5og on to te co#uter wit enter#rise #erissions!

2! Clic/ te 'tartbutton$ #oint to "un$ ty#e dssite.msc$ and ten clic/ -!

4! Select te to# node in te left #ane!

&! +n te )ie#enu$ select 'ho# services node!

?! *n te left #ane$ e9#and te 'ervicesand Public e! 'ervices:and ten select AIA!

-! *n te iddle #ane$ select te CA nae as it sows in te Certification Autority 11C Sna#=in!

! +n te Actionenu$ select Properties!

8! Clic/ te 'ecurit!tab!

3! Clic/ Add!

%0! Clic/ -b?ect T!pes: select Computers$ and ten clic/ -!

%%! "y#e te co#uter nae(s) of te oter cluster node(s) as te ob7ect nae and clic/ -!

%2! 1a/e sure tat te co#uter accounts of all cluster nodes ave ull Control#erissions!

%4! Clic/ -!

All cluster nodes also ave to be #eritted on te :nrollent Services container!%&! *n te left #ane$ select Enrollment 'ervices!

%?! *n te iddle #ane$ select te CA nae!

%-! +n te Actionenu$ select Properties!

%! Clic/ te 'ecurit!tab!

%8! Clic/ Add!

%3! Clic/ -b?ect T!pes$ select Computers$ and clic/ -!

20! "y#e te co#uter nae(s) of te oter cluster node(s) as te ob7ect nae and clic/ -!

2%! 1a/e sure tat te co#uter accounts of all cluster nodes ave ull Control#erissions!

22! Clic/ -!

Finally$ you ust #erit all cluster nodes on te


23/30

2-! Clic/ te 'ecurit!tab!

2! Clic/ Add!

28! Clic/ -b?ect T!pes$ select Computers$ and ten clic/ -!

23! "y#e te co#uter nae of anoter cluster node as ob7ect nae and clic/ -. Re#eat for all oter

nodes in te cluster!

40! 1a/e sure tat te co#uter accounts of all cluster nodes ave ull Control#erissions!

4%! Clic/ -!

42! Close te 'ites and 'ervices11C Sna#=in!

Ad?usting the +' ame for the CA in Active +irector!

Wen te CA service was installed on te first cluster node$ it created te :nrollent Services ob7ect

and #ut its own fully ualified doain nae (FMD,) into tat ob7ect! Since te CA can o#erate on any

of te cluster nodes$ te d,Sost,ae of te :nrollent Services ob7ect needs to be canged to te

service nae of te CA!

Follow tese ste#s to cange te dnsost,ae!

%! 5og on to te co#uter wit enter#rise #erissions!

2! Clic/ te 'tartbutton$ #oint to "un$ ty#e adsiedit.msc$ and ten clic/ -!

4! Select A+'I Editin te left #ane$ select te Actionenu$ and ten cose Connect to!

&! *n te list of well=/nown ,aing Conte9ts$ select Configurationand clic/ -!

?! :9#and te Configuration$ 'ervices$ and Public e! 'ervicescontainer in te left #ane and

select Enrollment 'ervices!

-! *n te iddle #ane$ select te nae of te cluster CA! +n te Actionenu$ clic/ Properties!! Select te attribute d'0ostameand clic/ Edit!

8! :nter te service nae of te CA as sown in te ailover Cluster 1anagerunder ailover

Cluster 1anagementand clic/ -twice!

3! Close A+'Iedit!

Configuring Certificate Services in 2%

Windows Server 2008


24/30


Windows Server 2008


25/30

Certification Authorit! "ene#als

Wen te clustered Certification Autority renews its own certificate$ all nodes in te cluster ust be

u#dated wit te renew certificate inforation! "is will occur as #art of te regular aintenance

#rocess of te Certification Autorities as well as wen any infrastructure or security reuireentsdictate te renewal!

Follow tese ste#s to renew te CA certificate and u#date te cluster nodes wit te new CA /ey!

Renew te CA Certificate and e9#ort te Certificate and 6rivate /ey!

%! 5ocate te node tat is currently running Active Directory Certificate Services and log on wit local

adinistrator #erissions!

2! Clic/ te 'tartbutton$ #oint to "un$ ty#e Cluadmin.msc$ and ten clic/ -

4! .se te Cluster Adinistration tool to ta/e te ADCS service resource offline!

&! Clic/ te 'tartbutton$ #oint to "un$ ty#e certsrv.msc$ and ten clic/ -!

?! Select te CA node in te left #ane!

-! +n te Actionenu$ clic/ All Tas%s$ and ten clic/ "ene# CA Certificate! 6ress -to

ac/nowledge ADCS will be sto##ed during te renewal!

%! Co#lete te renewal wi;ard and if necessary$ subit your renewal to a #arent CA!

2! +nce te CA renewal is co#lete$ ensure te ADCS service is running and te ADCS cluster

resource is online!

4! *n te Certification Autority tool select te CA node in te left #ane!

&! +n te Actionenu clic/ Properties.

?! +n te


26/30

%&! Select te CA node in te left #ane!

%?! +n te Actionenu$ clic/ All Tas%s$ clic/ ac%up CA!

%-! +n te Welcoe #age of te CA bac/u# wi;ard$ clic/ et!

%! Select Private %e! and CA certificateand #rovide a directory nae were you want to te#orarily

store te CA certificate and o#tionally te /ey! Clic/ et!

%8! 6rovide a #assword to #rotect te CA /ey and clic/ et!

%3! Clic/ inish!

Configuring Certificate Services in 2&

Windows Server 2008


27/30

*f you are using a networ/ S1$ a warning essage will dis#lay telling you tat te #rivate /ey cannot be e9#orted! "is is

e9#ected beavior because te #rivate /ey will never leave te S1! Clic/ -to continue!

"e CA service ust be sut down to unloc/ te S1 resources

Wile te CA is selected in te left #ane$ on te Action enu$ clic/ All "as/s$ and ten clic/ Sto# Service!

Close te Certification Autority 11C Sna# in!

:9#and te +iagnostics node in te left #ane of te 'erver 1anagerview and clic/ 'ervices!

Select te service tat wor/s wit te S1! +n te Actionenu$ clic/ 'top!

*#orting te CA certificate into te local acine certificate store on oter cluster nodes!

*f you are using a networ/ S1$to confir tat a networ/ S1 is available to te node


1a/e sure tat te service tat connects to te networ/ S1 is started! Refer to te S1 vendor for

service inforation!

20! Co#y te #reviously e9#orted CA certificate to te cluster node!

2%! Clic/ te 'tartbutton$ #oint to "un$ ty#e mmc$ and ten clic/ -!

22! +n te ileenu$ clic/ Add7remove11C Sna#=in!

24! Select Certificatesfro te list of available sna#=ins and clic/ Add!

2&! Select Computer account$ clic/ inishtwice$ and ten$ clic/ -!

2?! *n te Certificate 1anager11C Sna#=in$ e9#and te Certificates 8$ocal Computer9node and

select te Personalstore!

2-! +n te Actionenu$ clic/ All Tas%s$ and ten clic/ Import!

2! *n te Certificate *#ort Wi;ard$ clic/ et!

28! :nter te file nae of te CA certificate tat was #reviously created on te first node and clic/

et! *f you use te ro#sebutton to find te certificate$ cange te file ty#e to Personal

Information Exchange(*.pfx,*.p12)!

23! "y#e te #assword tat you ave #reviously used to #rotect te #rivate /ey! "e #assword is

reuired even if tere is no #rivate /ey in te 6FG file! Do not ar/ tis /ey as e9#ortable! Clic/

et!

40! 6lace te certificate in te Personalcertificate store and clic/ et!

4%! "o i#ort te certificate$ clic/ inish!

42! "o confir te successful i#ort$ clic/ -!

Configuring Certificate Services in 2?

Windows Server 2008


28/30

*f you are using a networ/ S1$ you ust re#air te association between te certificate and te #rivate /ey tat is

stored in te S1!

*n te Certificate 1anager11C Sna#=in$ e9#and te Personalstore and select te Certificates

container!

Select te i#orted certificate! +n te Actionenu$ clic/ -pen!

>o to te +etailstab!

Select te field 'erial umber:co#y te serial nuber to te Cli#board$ and ten clic/ -!

At a coand=line #ro#t$ ty#e

certutil re#airstore cs# HCS6 6rovidernaeE 1y IHSerialnuberI

and ten #ress ETE"!

For e9a#leJ certutil re#airstore 1y I-23bdaba-8?30bbd&88c8e0ac?bc2bI

Detac te sared storage fro te cluster node!

>o to te 'erver 1anager11C Sna#=in$ e9#and te 'toragenode$ and ten select +is% 1anagement!

Cange te state of te dis/ /ee#ing te CA database to offline!

Re#eat as needed for all nodes in te cluster tat could #otentially run te ADCS resource!

Configuring Certificate Services in 2-

Windows Server 2008


29/30

Troubleshooting

ollo#ing the migration of a (indo#s 'erver 2@@3 Certification Authorit! to a (indo#s 'erver

2@@& ailover cluster: Active +irector! Certificate 'ervices fails to start and the event log sho#s

Event I+ 5 CertificationAuthorit!.

"is error can be caused wen te ADCS database is ar/ed for restore o#erations! 'erify tat te

"estoreInProgressdoes not e9ist in te Registry


30/30

"elated $in%s

@est 6ractices for *#leenting a 1icrosoft Windows Server 2004 6ublic

Documents

Failover Clustering and Active Directory Certificate Services in Windows Server 2008 and Windows Server 2008 R2