Features in AD CS
By using Server Manager, you can install the following components of AD CS:
-
Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
-
CA Web enrollment. Web enrollment allows
users to connect to a CA by means of a Web browser in order to request
certificates and retrieve certificate revocation lists (CRLs).
-
Online Responder. The Online Responder
service accepts revocation status requests for specific certificates,
evaluates the status of these certificates, and sends back a signed
response containing the requested certificate status information.
-
Network Device Enrollment Service. The
Network Device Enrollment Service allows routers and other network
devices that do not have domain accounts to obtain certificates.
-
Certificate Enrollment Web Service. The
Certificate Enrollment Web Service enables users and computers to
perform certificate enrollment that uses the HTTPS protocol. Together
with the Certificate Enrollment Policy Web Service, this enables
policy-based certificate enrollment when the client computer is not a
member of a domain or when a domain member is not connected to the
domain.
-
Certificate Enrollment Policy Web Service.
The Certificate Enrollment Policy Web Service enables users and
computers to obtain certificate enrollment policy information. Together
with the Certificate Enrollment Web Service, this enables policy-based
certificate enrollment when the client computer is not a member of a
domain or when a domain member is not connected to the domain.
Benefits of AD CS
Organizations can use AD CS to enhance security by
binding the identity of a person, device, or service to a corresponding
private key. AD CS gives organizations a cost-effective, efficient, and
secure way to manage the distribution and use of certificates.
Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
The new features of AD CS in Windows Server 2008 R2 include:
Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
The new features of AD CS in Windows Server 2008 R2 include:
- Certificate enrollment that uses the HTTPS protocol.
- Certificate enrollment across Active Directory Domain Services (AD DS) forest boundaries.
- Improved support for high-volume certificate issuance.
- Support for CAs on a Server Core installation of Windows Server 2008 R2.
Hardware and software considerations
Although AD CS can be deployed on a single server, many
deployments will include multiple servers configured as CAs, other
servers configured as Online Responders, and others serving as Web
enrollment portals. CAs can be installed on servers running a variety of
operating systems, including Windows Server 2008 R2, Windows
Server 2008, Windows Server 2003, and Windows 2000 Server. However, not
all operating systems support all features or design requirements, and
creating an optimal design will require careful planning and testing
before you deploy AD CS in a production environment.
Installing AD CS
After you finish installing the operating system, you can use Server Manager to set up a CA and other optional components.
Additional configuration steps need to be completed by using the appropriate snap-ins before a CA or Online Responder is functional. For more information, refer to the related Help topics for the Certification Authority snap-in and the Online Responder snap-in.
Additional configuration steps need to be completed by using the appropriate snap-ins before a CA or Online Responder is functional. For more information, refer to the related Help topics for the Certification Authority snap-in and the Online Responder snap-in.
Managing AD CS
You can use either Server Manager or Microsoft Management Console (MMC) snap-ins to manage AD CS role services. Use the following steps to open the snap-ins:-
To manage a CA, use the Certification Authority snap-in. To open the Certification Authority snap-in, click Start, click Run, type certsrv.msc, and click OK.
-
To manage certificates, use the Certificates snap-in. To open the Certificates snap-in, click Start, click Run, type certmgr.msc, and click OK.
-
To manage certificate templates, use the Certificate Templates snap-in. To open the Certificate Templates snap-in, click Start, click Run, type certtmpl.msc, and click OK.
- To manage an Online Responder, use the Online Responder snap-in. To open the Online Responder snap-in, click Start, click Run, type ocsp.msc, and click OK.
www.technet.microsoft.com
Published By
S.G.Godwin Dinesh.MCA
Sr.System Administrator