Considering installing CA services

[Michael Leone]

I don't run a CA in my AD. I have a CA, it's on a Linux box, and it's only for internal certs. And I did push out the root CA cert, via GPO. And the CA is for the FQDN of my AD domain.

So now we're thinking of using a 2016 NPS server, but it wants to connect to a CA first.

SO: what are the considerations, in my case, with installing a CA on one of my DCs? I mean, won't I now have an all-new root CA, that's also in the name of my AD domain? Will I have to somehow remove that old root CA (probably via GPO), and instead push out the new root CA?

What else am I missing? I'm sure there's a lot of other considerations.

Thanks

[Michael B. Smith]

I would strongly recommend that you NOT install a CA on a DC. Doing so will, at some point, cause problems.

 

As I asked someone else this morning – do you also play Russian roulette?

 

Put it on a member server. Preferably by itself.

 

AD and your CA will be tightly integrated. The CA does not need to have the name of your AD in the name of the CA. I recommend you NOT include the name of your CA server in the name of your CA. (One day that server will be replaced – you’ll want the CA to go on living.)

 

If, for example, your CA server is named Zip-a-Dee-CA.example.com, you could name the CA itself Song-of-the-South. It would be referred to as Zip-a-Dee-CA\Song-of-the-South. The root key will be automatically published to AD. If you want to push it to all domain computers then yes, you’ll also push it via GPO.

 

There is no need to unpublish the old root. Each computer probably already has a several dozen Trusted Root Certification authorities (which is a root cert – I have 62). Think of a root CA like a tree trunk, a subsidiary CA like branches on a tree, and individual certs like leaves on the tree. There can be many trees in the forest, but each tree has its own branches and each tree has its own leaves. And just as each leaf knows it’s connected to a specific branch which connects to a specific tree – every certificate knows its certification chain.

 

That’s what this is about:

 

I’m happy to answer questions (and there are at least a couple of other knowledgeable CA people on this list).

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To post to this group, send email to ntsys...@googlegroups.com.
Visit this group at https://groups.google.com/group/ntsysadmin.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiuuEd%2BkF7EJ4gN9m5NGOznrdC8o3Vqm6NAAZb7m8hi2g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Philip Elder]

This is a really good article:

# PKI: AD CS Two-Tier CA Hierarchy with Server Core for Windows 2012 R2

# From: http://binarynature.blogspot.com/2015/03/pki-active-directory-certificate-services-two-tier-ca-server-core-for-windows-2012-r2.html

 

There is another post on that site relative to setting up a CA as well that does things a lot differently. Both are really well done.

 

Philip Elder MCTS

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: (780) 458-2028

www.CommodityClusters.Com

Blog Site

Twitter: MPECSInc

Skype: MPECS Inc.

Cloud: Canadian Cloud Worx

 

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/3a267e2ce15e4df4b37027c7d9f548de%40smithcons.com.

For more options, visit https://groups.google.com/d/optout.

ExchangeDefender Message Security: Check Authenticity

[Micheal Espinola]

I would strongly recommend that you NOT install a CA on a DC. Doing so will, at some point, cause problems.

Michael, what sort of problems comes to mind?

--
Espi

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/3a267e2ce15e4df4b37027c7d9f548de%40smithcons.com.

[Michael B. Smith]

Most common issue for my clients this year: forgetting that they had installed a CA on a DC and then demoting the DC (which breaks the CA).

 

It’s also somewhat more difficult to migrate a CA on a DC to another server instead of from a member server. (And eventually – you will want to migrate.)

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAAfzEuxisi3OALCEOTorHskwOrgJY%3DfV1xzfNoDmKszujCXUug%40mail.gmail.com.

[Michael B. Smith]

Also had one client that denied they had any CAs – they turned out to have 3 – with 3 separate enterprise hierarchies – all 3 installed on different DCs.

 

They were a hoot.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c4023ef3c47441bd99453c481a6b2bea%40smithcons.com.

[Michael Leone]

On Fri, Dec 21, 2018 at 1:14 PM Michael B. Smith <mic...@smithcons.com> wrote:
>
> I would strongly recommend that you NOT install a CA on a DC. Doing so will, at some point, cause problems.

Ah. I was under the assumption it *had* to be installed on a DC. I
have no problems with creating a new VM, solely to be a CA.

> As I asked someone else this morning – do you also play Russian roulette?

Well, I *have* been lucky so far, I guess ....

LOL

> Put it on a member server. Preferably by itself.

I can do that thing.

> AD and your CA will be tightly integrated. The CA does not need to have the name of your AD in the name of the CA. I recommend you NOT include the name of your CA server in the name of your CA. (One day that server will be replaced – you’ll want the CA to go on living.)

That's one of the reasons I never made a AD CA before, I vaguely
recall horror stories in the old days, about how the CA would then be
tied to the DC. But as I said, that was my lack of knowledge.

> If, for example, your CA server is named Zip-a-Dee-CA.example.com, you could name the CA itself Song-of-the-South. It would be referred to as Zip-a-Dee-CA\Song-of-the-South. The root key will be automatically published to AD. If you want to push it to all domain computers then yes, you’ll also push it via GPO.
>
>
>
> There is no need to unpublish the old root. Each computer probably already has a several dozen Trusted Root Certification authorities (which is a root cert – I have 62). Think of a root CA like a tree trunk, a subsidiary CA like branches on a tree, and individual certs like leaves on the tree. There can be many trees in the forest, but each tree has its own branches and each tree has its own leaves. And just as each leaf knows it’s connected to a specific branch which connects to a specific tree – every certificate knows its certification chain.
>
>
>
> That’s what this is about:

Thanks, that does help.

[Micheal Espinola]

Ha! I bet!

--
Espi

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/0bc947b937a344f9b5d9684c62a739d0%40smithcons.com.

[Kurt Buff - GSEC, GCIH]

OMG - that's astonishing. How can you not know you have a CA, let alone three of them?

That poses a much larger question: If they're so unaware of their own environment, what else is going on that they don't know about?

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/0bc947b937a344f9b5d9684c62a739d0%40smithcons.com.

[Michael B. Smith]

Between us, over the last several years, Carl Webster and I have come up with a pretty decent script that analyzes the crap out of an AD. It does a CA overview and then I have a separate script that does a very detailed  drill-down on an AD’s CA installation(s).

 

Let’s be clear: Web has done most of the work on the AD script, even though he kindly gives me co-authorship credit. I’ve just given him some advice in places. And sample code. J It’s in ongoing development. Web’s working on the next rev. He’s adding some things I requested about “Password was never set” and about “password settings objects” (I gave him sample code for both) and another feature I don’t remember for another user.

 

[I’m also in ongoing development on the CA script – I’m getting ready to add “Certificate Recovery” for keys and certs that were published to AD but need to be recovered into a PFX or CER.]

 

In regards to this particular client: they had one CA used only by Lync/Skype for Business, another CA used only by WebDev, and a third CA used only by LDAPS. The user communities didn’t overlap and they had all been installed by “prior administrators”. Certificate Services isn’t something that jumps up and screams “I’m installed here!” It’s very low impact.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7u2%2Brq4A0kd4oMC32BMORLyp10-DV4eRZaYjCUehULsw%40mail.gmail.com.

[Kurt Buff - GSEC, GCIH]

"The user communities didn’t overlap"

Different forest, or domains? That's the only thing that makes sense. After all - even before I stood up my CA, I was examining the cert stores on machines to make sure they made sense, and didn't have any suspicious certs in them.

The effort Carl and you have put into the AD script (and associated scripts) is outstanding, and I'm looking forward to the announcement of your CA script. 

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/197d70bd5a9c4737ad5d4cc2cd7ebfa1%40smithcons.com.

[Michael B. Smith]

Different domains, but with a CA it doesn’t matter. All CAs are forest-level objects (a fact not well understood by most admins).

 

In this case, for whatever reason, it had just never reached the point of someone caring about it. Bad change control and environment documentation.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce53RHYcuVUSfr5O7pMux%2BRGw1GnksKbEQPg6oLd_Jh15A%40mail.gmail.com.

[Micheal Espinola]

Between us, over the last several years, Carl Webster and I have come up with a pretty decent script that  

SIDEBAR:  Not necessarily including what you are currently referring to based on any confidentiality, etc - But, I've been toying with the idea of making a GitHub.com repository of various scripts that we have discussed and shared over the years.  I'm not sure how you guys are handling your version control, but its very convenient to be able to fork versions, submit bugs/fixes, etc for all your various scripts.  With the recent Microsoft acquisition of GitHub, maybe an idea like this falls in line with the lists more than it ever has in the past?  I'm probably going to do it anyways to see if it takes off or not, but I'd be interested to hear your thoughts.

--
Espi

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/197d70bd5a9c4737ad5d4cc2cd7ebfa1%40smithcons.com.

[Michael B. Smith]

I think that that is great idea. However, both Carl and I have a need to be able to track downloads and references, in these days of “prove your social impact”. He for CTP, me for MVP.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAAfzEuyL0kgCoaehmU1xGtjRQvqJeJ3bbBdY5ofjDUCmpY00pA%40mail.gmail.com.