3. Considerations for the Use and Management of AD CS
Active Directory Certificate Services role services are
managed by using MMC snap-ins.
Table 1. AD CS Management Tools| TOOL | USAGE | LOCATION |
|---|
| Certification Authority | To manage a certificate authority. | Server Manager | | Certificates | To manage certificates. This snap-in is installed
by default. | Custom MMC snap-in | | Certificate Templates | To manage certificate templates. | Server Manager | | Online Responder | To manage an OR. | Server Manager | | Enterprise PKI | To manage the entire PKI
infrastructure. | Server Manager | | Certutil | To manage PKI functions from the command
line. | Command prompt | | Windows PowerShell | To automate PKI functions in your AD CS
deployment. | Administrative Tools program group |
Note:
INSTALL THE SNAP-IN WITHOUT INSTALLING
AD CS
The snap-in listed in Table 1 can be installed by using Server
Manager and selecting the AD CS tools under Remote Server
Administration Tools. If the computer from which you want to perform
remote administration tasks is running Windows 7, you can obtain the
Remote Server Administration Tools from the Microsoft Download
Center at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d.
Note:
MORE INFO WINDOWS
POWERSHELL AND AD CS
Windows PowerShell provides some support for the automation of
AD CS operations. For examples of the types of operations you can
perform through Windows PowerShell with AD CS, go to http://social.technet.microsoft.com/wiki/contents/articles/active-directory-certificate-services-ad-cs-powershell-examples.aspx.
As you work with AD CS, you will see that it provides a great amount of
information through the Event Log. Table 2 lists the most
common events for AD CS certificate authorities.
Table 2. Common Certificate Authority Event IDs| CATEGORY | EVENT ID | DESCRIPTION |
|---|
| AD CS Access Control | 39, 60, 92 | Related to insufficient or inappropriate use of
permissions. | | AD CS and AD DS | 24, 59, 64, 91, 93, 94, 106, 107 | Related to access (read or write) for AD DS
objects. | | AD CS Certificate Request (Enrollment)
Processing | 3, 7, 10, 21, 22, 23, 53, 56, 57, 79, 80, 97,
108, 109, 128, 132 | One element for certificate enrollment to succeed
is missing: valid CA certificate, certificate templates with
proper configuration, client accounts, or certificate
requests. | | AD CS Certification Authority Certificate and
Chain Validation | 27, 31, 42, 48, 49, 51, 58, 64, 100, 103, 104,
105 | Related to availability, validity, and chain
validation for a CA certificate. | | AD CS Certification Authority
Upgrade | 111, 112, 113, 114, 115, 116, 117, 118, 119, 120,
121, 122, 123, 125, 126 | Related to upgrading certificate authorities from
an earlier version of Windows to Windows Server 2008 R2, and
can indicate configuration options or components that need to
be reconfigured. | | AD CS Cross-Certification | 99, 102 | Related to the cross-CA certificates created to
establish relationships between the original certificate and
the renewed root. | | AD CS Database Availability | 17 | Related to CA database access
issues. | | AD CS Exit Module Processing | 45, 46 | Related to the exit module functions: publish or
send email notification. | | AD CS Key Archival and Recovery | 81, 82, 83, 84, 85, 86, 87, 88, 96, 98,
127 | Related to key recovery agent certificates,
exchange (XCHG) certificates and keys, or that one or all of
these components are missing. | | AD CS Performance Counters
Availability | 110 | Related to performance counters that cannot be
started. | | AD CS Policy Module Processing | 9, 43, 44, 77, 78 | Related to problems detected with a policy
module. | | AD CS Program Resource
Availability | 15, 16, 26, 30, 33, 34, 35, 38, 40, 61, 63, 89,
90 | Related to the availability of system resources
and operating system components. | | AD CS Registry Settings | 5, 19, 20, 28, 95 | Related to the corruption or deletion of
configuration settings in the registry. | | AD CS Online Responder | 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 29,
31, 33, 34, 35 | Related to Online Responder service
dependencies. |
Rely on the contents of Table 2 to quickly
identify the area that an issue relates to so that you can resolve it
faster.
Note:
MORE INFO AD CS
EVENT IDs
To find more information on event types, read the information
at http://technet2.microsoft.com/windowsserver2008/en/library/688d1449-3086-4a79-95e6-5a7f620681731033.mspx.
4. Working with Enterprise PKI
One of the most useful tools in an AD CS infrastructure is
Enterprise PKI, or PKIView from the command line, which is the Enterprise
PKI node under Active Directory Certificate Services in Server
Manager. Enterprise PKI can be used for several AD CS management activities. Basically, Enterprise PKI gives
you a view of the status of your AD CS deployment and allows you to
view the entire PKI hierarchy in your network and drill down into
individual CAs to quickly identify issues with the configuration or
operation of your AD CS infrastructure.
Enterprise PKI is mostly used as a diagnostic and health view
tool because it displays operational information about the members of
your PKI hierarchy. In addition, you can use Enterprise PKI to link to
each CA quickly by right-clicking the CA name and clicking Manage CA.
This launches the Certification Authority console for the targeted
CA.
From the Actions pane, you can also gain access to the Templates
console (Manage Templates) as well as the Certificate Containers in
Active Directory Domain Services (Manage AD Containers). The latter,
shown in Figure 2,
allows you to view the contents of each of the containers in a
directory used to store certificates for your PKI
architecture.
Rely on Enterprise PKI to check AD CS health status visually.
Its icons give you immediate feedback on each component of your
infrastructure, showing green when all is healthy, yellow when minor
issues are found, and red when critical issues arise.
|
