Re: ADCS Ent SubCA on Server 2008 R2 Core - any documentation?

Hi,

I have few questions:
1. Are there any problems logged to event log?
2. Is there a possibility you have a firewall misconfigured?
3. Is there a possibility you don't have access rights properly assigned?
4. What registry key have you exported / imported (try to import only
HKLM\System\CurrentControlSet\Services\CertSvc\Con figuration\<CAName>)?

I suggest to install the CA directly on server core and configure it there. You
can use automated scripts in order to install CA on Windows Server 2008 R2. See

http://blogs.technet.com/pki/archive...nd-2008r2.aspx
for more details.

HTH

Martin


Gordon.Young wrote:
> Hi Everyone!
>
> I am seeking documentation, experiece, etc regarding building an
> enterprise SubCA on an server 2008 enterprise R2 Core installation.
>
> Our goal is to build a POC of our enterprise PKI as a grid of r2 core
> CA's on clustered HyperV.
>
> we are getting stuck with the R2 Core SubCA piece.
>
> I have one core SubCA up and running, I did the following
>
> 1. built the CA first as a full server 2008 enterprise install with
> GUI
> 2. exported the certsrv DataBase + keypair PFX file.
> 3. built a Core box with same DNS name
> 4. delete old CA's computer account from AD.
> 5. joined new CA with same name to AD.
> 6. installed ADCS core role
> 7. imported certsrv registry node from the Full server install into
> the Core server install.
> 8 restored DB + PFX backup with certutil (after creating dir
> structure)
>
> 9. started up the ADCS service, there where no issues.
>
> At this point, I can't enroll for certs from a remote computer on the
> same domain as a user with the appropriate access. Also I can't manage
> the CA remotely, can't issue a CRL, manage properties, etc.
> I am missing something. The CA did write a new CRL, issued a new CA
> Exchange key, etc..
>
> Any documentation, suggestions, guidance is much appreciated.
>
>
> Thanks,
> Gordon Young~

--
--
Replace nospam with google's mail for e-mail communication

Sorry Martin, I haven't been able to get to this in a few days.

> I have few questions:
> 1. Are there any problems logged to event log?
I need to enable remote event viewer, I'll do this and review the event log
> 2. Is there a possibility you have a firewall misconfigured?
No firewall, since this is a test environment I Have disabled the default
firewall
> 3. Is there a possibility you don't have access rights properly assigned?
Since this is a test environment I an testing with the EA/DA account.
> 4. What registry key have you exported / imported (try to import only
I did import the entire registry key:
HKLM\System\CurrentControlSet\Services\CertSvc.
I will do a new build with just:
HKLM\System\CurrentControlSet\Services\CertSvc\Con figuration\<CAName>)?

"Martin Rublik" wrote:

> Hi,
>
> I have few questions:
> 1. Are there any problems logged to event log?
> 2. Is there a possibility you have a firewall misconfigured?
> 3. Is there a possibility you don't have access rights properly assigned?
> 4. What registry key have you exported / imported (try to import only
> HKLM\System\CurrentControlSet\Services\CertSvc\Con figuration\<CAName>)?
>
> I suggest to install the CA directly on server core and configure it there. You
> can use automated scripts in order to install CA on Windows Server 2008 R2. See
>
> http://blogs.technet.com/pki/archive...nd-2008r2.aspx
> for more details.
>
> HTH
>
> Martin
>
>
> Gordon.Young wrote:
> > Hi Everyone!
> >
> > I am seeking documentation, experiece, etc regarding building an
> > enterprise SubCA on an server 2008 enterprise R2 Core installation.
> >
> > Our goal is to build a POC of our enterprise PKI as a grid of r2 core
> > CA's on clustered HyperV.
> >
> > we are getting stuck with the R2 Core SubCA piece.
> >
> > I have one core SubCA up and running, I did the following
> >
> > 1. built the CA first as a full server 2008 enterprise install with
> > GUI
> > 2. exported the certsrv DataBase + keypair PFX file.
> > 3. built a Core box with same DNS name
> > 4. delete old CA's computer account from AD.
> > 5. joined new CA with same name to AD.
> > 6. installed ADCS core role
> > 7. imported certsrv registry node from the Full server install into
> > the Core server install.
> > 8 restored DB + PFX backup with certutil (after creating dir
> > structure)
> >
> > 9. started up the ADCS service, there where no issues.
> >
> > At this point, I can't enroll for certs from a remote computer on the
> > same domain as a user with the appropriate access. Also I can't manage
> > the CA remotely, can't issue a CRL, manage properties, etc.
> > I am missing something. The CA did write a new CRL, issued a new CA
> > Exchange key, etc..
> >
> > Any documentation, suggestions, guidance is much appreciated.
> >
> >
> > Thanks,
> > Gordon Young~
>
> --
> --
> Replace nospam with google's mail for e-mail communication
>

Oh and thank you, BTW! You help is much appreciated.

~Gordon

"Martin Rublik" wrote:

> Hi,
>
> I have few questions:
> 1. Are there any problems logged to event log?
> 2. Is there a possibility you have a firewall misconfigured?
> 3. Is there a possibility you don't have access rights properly assigned?
> 4. What registry key have you exported / imported (try to import only
> HKLM\System\CurrentControlSet\Services\CertSvc\Con figuration\<CAName>)?
>
> I suggest to install the CA directly on server core and configure it there. You
> can use automated scripts in order to install CA on Windows Server 2008 R2. See
>
> http://blogs.technet.com/pki/archive...nd-2008r2.aspx
> for more details.
>
> HTH
>
> Martin
>
>
> Gordon.Young wrote:
> > Hi Everyone!
> >
> > I am seeking documentation, experiece, etc regarding building an
> > enterprise SubCA on an server 2008 enterprise R2 Core installation.
> >
> > Our goal is to build a POC of our enterprise PKI as a grid of r2 core
> > CA's on clustered HyperV.
> >
> > we are getting stuck with the R2 Core SubCA piece.
> >
> > I have one core SubCA up and running, I did the following
> >
> > 1. built the CA first as a full server 2008 enterprise install with
> > GUI
> > 2. exported the certsrv DataBase + keypair PFX file.
> > 3. built a Core box with same DNS name
> > 4. delete old CA's computer account from AD.
> > 5. joined new CA with same name to AD.
> > 6. installed ADCS core role
> > 7. imported certsrv registry node from the Full server install into
> > the Core server install.
> > 8 restored DB + PFX backup with certutil (after creating dir
> > structure)
> >
> > 9. started up the ADCS service, there where no issues.
> >
> > At this point, I can't enroll for certs from a remote computer on the
> > same domain as a user with the appropriate access. Also I can't manage
> > the CA remotely, can't issue a CRL, manage properties, etc.
> > I am missing something. The CA did write a new CRL, issued a new CA
> > Exchange key, etc..
> >
> > Any documentation, suggestions, guidance is much appreciated.
> >
> >
> > Thanks,
> > Gordon Young~
>
> --
> --
> Replace nospam with google's mail for e-mail communication
>

One more question,

what do you mean by
"Our goal is to build a POC of our enterprise PKI as a grid of r2 core CA's on
clustered Hyper-V."?

Are you clustering CA's or Hyper-V hosts?

If you are trying to setup clustered CA, was the CA set up properly. You might
find this white paper useful
http://www.microsoft.com/downloads/d...DisplayLang=en

Regards

Martin

Gordon Young wrote:
> Oh and thank you, BTW! You help is much appreciated.
>
> ~Gordon
>
> "Martin Rublik" wrote:
>
>> Hi,
>>
>> I have few questions:
>> 1. Are there any problems logged to event log?
>> 2. Is there a possibility you have a firewall misconfigured?
>> 3. Is there a possibility you don't have access rights properly assigned?
>> 4. What registry key have you exported / imported (try to import only
>> HKLM\System\CurrentControlSet\Services\CertSvc\Con figuration\<CAName>)?
>>
>> I suggest to install the CA directly on server core and configure it there. You
>> can use automated scripts in order to install CA on Windows Server 2008 R2. See
>>
>> http://blogs.technet.com/pki/archive...nd-2008r2.aspx
>> for more details.
>>
>> HTH
>>
>> Martin
>>
>>
>> Gordon.Young wrote:
>>> Hi Everyone!
>>>
>>> I am seeking documentation, experiece, etc regarding building an
>>> enterprise SubCA on an server 2008 enterprise R2 Core installation.
>>>
>>> Our goal is to build a POC of our enterprise PKI as a grid of r2 core
>>> CA's on clustered HyperV.
>>>
>>> we are getting stuck with the R2 Core SubCA piece.
>>>
>>> I have one core SubCA up and running, I did the following
>>>
>>> 1. built the CA first as a full server 2008 enterprise install with
>>> GUI
>>> 2. exported the certsrv DataBase + keypair PFX file.
>>> 3. built a Core box with same DNS name
>>> 4. delete old CA's computer account from AD.
>>> 5. joined new CA with same name to AD.
>>> 6. installed ADCS core role
>>> 7. imported certsrv registry node from the Full server install into
>>> the Core server install.
>>> 8 restored DB + PFX backup with certutil (after creating dir
>>> structure)
>>>
>>> 9. started up the ADCS service, there where no issues.
>>>
>>> At this point, I can't enroll for certs from a remote computer on the
>>> same domain as a user with the appropriate access. Also I can't manage
>>> the CA remotely, can't issue a CRL, manage properties, etc.
>>> I am missing something. The CA did write a new CRL, issued a new CA
>>> Exchange key, etc..
>>>
>>> Any documentation, suggestions, guidance is much appreciated.
>>>
>>>
>>> Thanks,
>>> Gordon Young~
>> --
>> --
>> Replace nospam with google's mail for e-mail communication
>>

--
--
Replace nospam with google's mail for e-mail communication