Guidance on usage: Active Directory CS on Windows Server 2016 Datacenter

Configuration and connection to Active Directory CS on Windows Server 2016 Datacenter

For the connection to the server, you should know the IP address of the VM. You can find it in the personal account of Azure. (You need to select the virtual machine from the list. By clicking the item “Overview”, your IP is displayed in the line “Public IP Address”).

Connecting and configuring the VM

  1. Run the “Remote Desktop Connection” shortcut “Win + R”. In the window that appears, enter “mstsc” and click “OK”.
  1. In the window that appears, enter the IP of the virtual machine and click “Connect”.
  1. In the window that appears, enter your username and password and click “OK”.
  2. Check the box and click “Yes”.
  1. Once logged in, open up “Server Manager” (if it doesn’t start automatically)

The first task is to decide if this will be an Enterprise CA or Standalone CA.  If it will be an Enterprise CA then you will need to add this VM to your Active Directory domain otherwise you can leave it as a member server and run it as a Standalone CA.

  1. Next is to run the setup wizard from the notification alert in Server Manager
  1. On the Credentials page, you can see the Administrator is displayed in the Credentials box. Click Next.
  1. On the Role Services page, select the Certification Authority check box, Click Next
  1. On the Setup Type page, select Enterprise CA as the CA type to allow integration with your AD Or Standalone CA if you want to run this as a member server in a workgroup.
  1. On the CA Type page, Select Root CA if this is the first CA in your environment or Subordinate CA if you have an established PKI already, Click Next.
  1. On the Private Key page, choose between Create a new private key or Use existing private key. Click Next.
  1. On the Cryptography for CA page:
  • Select the default cryptographic provider as RSA#Microsoft Software Key Storage Provider.
  • Select the Key length as 2048 or above.
  • Select SHA1 as the hash algorithm and click Next.
  1. On the CA Name page, specify the name of your CA in the Common name for this CA text box.
  1. On the Validity Period page, select the number of years for the certificate to be valid.
  1. On the CA Database page, specify the locations for the database and database log files. Click Next.
  1. On the Confirmation page, click Configure. The results screen appears after the configuration is complete.
  1. After completing the setup you can use Certification Authority

Firewall Ports

If you have a network security group or firewall appliance in front of your new AD CS virtual machine, you’ll need to check you have the following firewall ports open.

Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM-based enrollment

Deploy Certificates

Once you have your CA setup, you’re now ready to start deploying certificates. The following article has a great tutorial on this:

https://learn.microsoft.com/en-us/archive/blogs/askds/designing-and-implementing-a-pki-part-iii-certificate-templates