Can DC double as certificate server for EFS?

myITforum.com Community Forum

Home Forums Blogs Live Support chat Search Articles Wiki FAQ Email Lists Register Login My Profile Inbox Address Book My Subscription My Forums

Photo Gallery Member List Search Calendars FAQ Ticket List Log Out

All Forums RSS Feed Subscription:

Can DC double as certificate server for EFS?

View related threads: (in this forum | in all forums)

Logged in as: Guest

Printable Version

All Forums >> [Server Products] >> Windows Server >> Can DC double as certificate server for EFS?

Page: [1]

Message

<< Older Topic Newer Topic >>

Can DC double as certificate server for EFS? - 6/17/2008 11:20:51 PM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

Our company is not that big. We do have 2 DC's in our main office, and one in a small satellite office of 6 people that doubles as their local file server.

Our IT groups has been asked to enable EFS on all corporate laptops (about 100 of them). It looks like we're best served setting up a certificate server to store all those keys. Is it "ok" to use our DC? We want reliability, but we don't have spare server class hardware sitting around.

Also, if anyone has any good docs/urls you could point me to that walk through my scenario step by step (if only high level), it would be a big help.

Thanks.

KH

PS : If I've posted to the wrong forum, please point me in the right direction!

Post #: 1

RE: Can DC double as certificate server for EFS? - 6/18/2008 8:39:24 AM

gjones

Posts: 903
Score: 60
Joined: 6/5/2001
From: Ottawa, Ontario, Canada
Status: offline

Yes you cna use a DC as your Cert server. But the bigger issue is what version of Windows are you using Standard or Enterprise? Let's hope it is Enterprise, it will save you tons of work.

_____________________________

Garth@enhansoft.com

For a List of my Articles
http://www.myitforum.com/contrib/default.asp?cid=116
Blogs:
http://smsug.ca/blogs/garth_jones/default.aspx
http://myitforum.com/cs2/blogs/gjones/default.aspx

(in reply to khunter)

Post #: 2

RE: Can DC double as certificate server for EFS? - 6/18/2008 9:44:41 AM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

Well, my DC's are Standard, but I do have a "utility" server that's running Enterprise R2 SP2. It's currently my print server, WSUS server, SMS distribution point (not the main one), and our Symantec AV "parent" server for workstations to get their virus definitions. Granted no one task requires a lot of resources, but I'm worried I might have too many eggs in one basket. Still, it's a natural choice.

What are the benefits of using Enterprise vs Standard?

KH

(in reply to gjones)

Post #: 3

RE: Can DC double as certificate server for EFS? - 6/18/2008 10:43:30 AM

jsandys

Posts: 628
Score: 27
Joined: 3/24/2005
From: San Antonio, TX
Status: offline

Certficate Services on Windows Enterprise Server lets you use customize certifcate templates. This is a near must have if you plan on rolling out any application that uses certificates for mutual authentication: ConfigMgr in native mode is the prime example in my experience.

Also note that certificate services is very, very low overhead. It's mainly a database for your certificates. It issues cert every now and then and publishes CRLs every now and then. 99% of the time it just sits there doing nothing.

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to khunter)

Post #: 4

RE: Can DC double as certificate server for EFS? - 6/18/2008 10:49:09 AM

gjones

Posts: 903
Score: 60
Joined: 6/5/2001
From: Ottawa, Ontario, Canada
Status: offline

Also Enterprise server allows for auto enrollment, so you don't have to visit each WS to apply the certificate.

_____________________________

Garth@enhansoft.com

For a List of my Articles
http://www.myitforum.com/contrib/default.asp?cid=116
Blogs:
http://smsug.ca/blogs/garth_jones/default.aspx
http://myitforum.com/cs2/blogs/gjones/default.aspx

(in reply to jsandys)

Post #: 5

RE: Can DC double as certificate server for EFS? - 6/18/2008 8:57:51 PM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

Ok. I'm convinced. So can anyone point me to some solid documentation that will help me setup EFS for our mobile users along w/ setting up the CA, and the recovery policy in AD, and all the recovery agents? I'm not finding actual steps to perform on TechNet (yet). Just "best practice" generalities so far.

Any help is greatly appreciated!

KH

(in reply to gjones)

Post #: 6

RE: Can DC double as certificate server for EFS? - 6/18/2008 10:39:30 PM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

I found this : http://www.shijaz.com/windows/EFS_with_Key_Archival.htm.

He mentions creating a root CA and a subordinate CA. I found out from our Network Manager that he's already created a root CA that's running on a linux box. Can I create a windows based subordinate CA that points to the linux based root CA? Don't I need a windows based CA to make EFS key/cert mgmt work?

KH

(in reply to khunter)

Post #: 7

RE: Can DC double as certificate server for EFS? - 6/19/2008 9:22:10 AM

jsandys

Posts: 628
Score: 27
Joined: 3/24/2005
From: San Antonio, TX
Status: offline

EFS is on by default and will use an Enterprise CA once you install one, no configuration necesarry. It will automatically issue a key recovery cert to the domain admin but you should definately set up another key recovery account: http://technet2.microsoft.com/WindowsServer/en/Library/9216103d-91c6-40da-a370-f95ccf4beaca1033.mspx?mfr=true. Best practice is to actually create a separate, low-privilege account for this. Also check out the Microsoft Certificate Service Tech Center: http://technet2.microsoft.com/WindowsServer/en/Library/9216103d-91c6-40da-a370-f95ccf4beaca1033.mspx?mfr=true, it has a lot of good info including planning, implmentation, and administration checklists for certificate services.

One quick note, a certificate services CA installed on Windows Enterprise is not the same thing as an Enterprise CA. An Enterprise CA is a CA that is integrated with AD and enables autoenrollment among other things. A CA installed on Windows Enterprise enables version two certificates and certificate template customization. If you can swing it, installing a CA on Windows Enterprise can help especially if you deploy ConfigMgr in native mode.

As for the windows CA sub-ordinate to a *nix CA, sure its possible. All a sub-ordinate CA really is is a CA that has a sub-ordinate certicate issued to it from its parent. If you can issue one of these certs from the *nix CA for the Windows CA, which are all 100% standards based, the Windows CA doesn't care. This sub-ordinate Windows CA can then be an Enterprise CA; i.e., inegrated with AD. Also note that you are not limited to a single root CA; i.e., just because you already have a root CA in your eneterprise, doesn't mean you can't set up another one; they would be completely independant entities and not interfere with each other at all.

To quickly summarize, certificates services has three different mode categories that can be mixed and matched based on your needs and configuration, none of these is dependant on the other and each has its own considerations:
1. AD Integrated (Enterprise CA) or not
2. Root or Sub-ordinate
3. On Windows Enterprise or Standard

< Message edited by jsandys -- 6/19/2008 9:25:17 AM >

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to khunter)

Post #: 8

RE: Can DC double as certificate server for EFS? - 8/11/2008 9:56:53 PM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

We decided to follow the TechNet steps and create an off line root CA on a Windows STD Server, then create an AD intergrated, subordinate on a Windows Enterprise Server. From what I read, I didn't think it would auto deploy the subordinate CA to every computer on our domain, but that's exactly what it did. Did we do something wrong?

Technet does have a lot of info, but it has it in a bunch of tiny separate pieces. I'm having trouble keeping straight what to do in what order. Is there a better tutorial out there? We're looking to use the CA to allow people to digitally sign their Office files, and for other people to enable EFS on their corporate laptops. So, I'm going in two different directions at the same time.

Thanks.

KH

(in reply to jsandys)

Post #: 9

RE: Can DC double as certificate server for EFS? - 8/12/2008 8:45:15 AM

gjones

Posts: 903
Score: 60
Joined: 6/5/2001
From: Ottawa, Ontario, Canada
Status: offline

I'm not sure what you did but if you setup the autoenrollment to allow it then yes it would provide certs to all WS and Users.

The best place to start is here. sorry I can't more help.
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

_____________________________

Garth@enhansoft.com

For a List of my Articles
http://www.myitforum.com/contrib/default.asp?cid=116
Blogs:
http://smsug.ca/blogs/garth_jones/default.aspx
http://myitforum.com/cs2/blogs/gjones/default.aspx

(in reply to khunter)

Post #: 10

RE: Can DC double as certificate server for EFS? - 8/12/2008 11:31:53 AM

jsandys

Posts: 628
Score: 27
Joined: 3/24/2005
From: San Antonio, TX
Status: offline

To answer KH's first question, "Did we do something wrong?", the answer is no. When you create an Enterprise CA, whether it is a root or subordinate, it is integrated with AD. One effect of being integrated with AD is that the certificate from that Enterprise CA will be published to all of your member systems as a trusted CA. Another effect is that all of your DCs should be registering to get a DC authentication cert. This is probably failing however because by default, domain controllers are not members of the CERT_DCOM_ACCESS group (I think it's called that or something close). Just add the domin controllers group to this group and all of your DCs will aquire the proper cert and begin to secure all replication data.

There is a great book published by Microsoft Press on PKI: http://www.microsoft.com/MSPress/books/6745.aspx.

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to gjones)

Post #: 11

RE: Can DC double as certificate server for EFS? - 11/13/2008 11:08:36 PM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

I don't know if anyone is still out there, but we rebuilt our off line and issuing CA's, following the technet articles' directions more closely. How long should it take for the CA's to show up in the workstations' trusted root list? We've tried forcing gpupdates. We're not seeing them this time around and we're not sure what we did different. Do I need to add the CA's to the trusted root CA list in our default domain policy gpo?

I cannot find a CERT_DCOM_ACCESS group, or anything similar. Either way, my DC's are only members of the group "Domain Controllers" in AD. So, it sounds like we're missing a step somewhere.

(in reply to jsandys)

Post #: 12

RE: Can DC double as certificate server for EFS? - 11/13/2008 11:22:51 PM

jsandys

Posts: 628
Score: 27
Joined: 3/24/2005
From: San Antonio, TX
Status: offline

It sounds like you didn't create an Enterprise CA, just because its on Windows Enterprise, doesn;t mean that its an Enterprise CA.

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to khunter)

Post #: 13

RE: Can DC double as certificate server for EFS? - 11/14/2008 11:17:42 AM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

We used the book you recommended. I'm pretty sure my coworker set up the pki correctly. Autoenrollment is setup in the default domain policy gpo. Should the DC's be members of "Cert Publishers"?

KH

(in reply to jsandys)

Post #: 14

RE: Can DC double as certificate server for EFS? - 11/14/2008 11:47:17 AM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

After poking around, here's what we have:

One off line root CA, running on Windows 2003 Enterprise server
One issuing CA, running on another Windows 2003 Enterprise server

We do not have an "Enterprise CA", but we did publish both the root and issuing CA's to AD.

I verified they're in AD by using ADSI Edit. pkiview.msc also shows the status to be ok for the cert's we've created. The books says once published, these two cert's should propogate to every computer. Autoenrollment is enabled in the default domain policy. i cannot find any other gpo where it's changed.
I did create a new gpo that all it does is push out a DRA key. i've removed the link and run a gpupdate /force to see if that could be holding up the distribution of the root and issuing CA's.

What else can I tell you that might help troubleshoot this?

KH

(in reply to khunter)

Post #: 15

RE: Can DC double as certificate server for EFS? - 11/14/2008 3:07:51 PM

jsandys

Posts: 628
Score: 27
Joined: 3/24/2005
From: San Antonio, TX
Status: offline

Autoenrollment is only available with an online Enterprise CA.

Where did you publish the certs in Group Policy and where are you looking on the client to verify that they have been distributed?

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to khunter)

Post #: 16

RE: Can DC double as certificate server for EFS? - 11/14/2008 3:21:05 PM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

Issuing server is online. If "Enterprise" ='s "AD Integrated", then the issuing CA is an "Enterprise CA".

I used ADSI Edit from my domain controller to look at CN=Public Key Services, CN=Services, CN=Configuration, DC=.., DC=.., DC=com. Each CA (server) is listed under CDP.

I haven't explicitly listed the certs anywhere in a GPO b/c it sounded like it should happen automagically. Do I need to explicitly list each certificate in 'Computer Configuration\Security Settings\Public Key Policies\Trusted Root Certificate Authorities'. I have yet to find an article or passage in that book that explicitly says what to edit in my GPO to push my CA certs out.

I'm obviously missing something.

(in reply to jsandys)

Post #: 17

RE: Can DC double as certificate server for EFS? - 11/19/2008 10:58:56 AM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

Upon further review, here are some peculiarities we've found that could be clues. I'll defer to you all.

When we look in AD Sites and Services, BOTH our root CA and issuing CA are listed under ".\Services\Public Key Services\AIA" and ".\Services\Public Key Services\CDP", but only the root CA is listed under ".\Services\Public Key Services\Certification Authorities". Neither CA is showing up in end user workstation trusted root CA's (yet), and it's been almost a week.

What step did we miss?

KH

(in reply to khunter)

Post #: 18

RE: Can DC double as certificate server for EFS? - 12/4/2008 10:50:00 AM

khunter

Posts: 101
Score: 0
Joined: 9/12/2006
Status: offline

I'm still not able to get my CA certs distributed to my client workstations. At this point, would it be a waste of time, or money, to open a ticket with Microsoft? Would they be able to help with something like this?

KH

(in reply to khunter)

Post #: 19

RE: Can DC double as certificate server for EFS? - 12/4/2008 11:27:35 AM

gjones

Posts: 903
Score: 60
Joined: 6/5/2001
From: Ottawa, Ontario, Canada
Status: offline

In my option, it is never a waste of time or money to call PSS/CSS (MS Support). I’m sure that you will learn at least 1 thing and get your problem solve quicker. So..

_____________________________

Garth@enhansoft.com

For a List of my Articles
http://www.myitforum.com/contrib/default.asp?cid=116
Blogs:
http://smsug.ca/blogs/garth_jones/default.aspx
http://myitforum.com/cs2/blogs/gjones/default.aspx

(in reply to khunter)

Post #: 20