In most cases, you will install at least a two-tiered structure, installing first a standalone, then an enterprise CA. In larger organizations, you will deploy several tiers and install several servers in each tier except for the root. Servers hosting the AD CS role should be configured with the following capabilities whether they are physical or virtual:
Use the buttons below to navigate through the lesson
- Multiple processors, because they accelerate the certificate allocation process.
Minimal amounts of RAM, because RAM has little effect on certificate processing. VMs can have 512 megabytes (MB) of RAM. - Separate disks for the certificate store. Ideally, you will have at least one data disk and store the database on it. Issuing servers for large communities should also have a separate disk for log files.
- Key lengths will have an impact on CPU and disk usage. Short keys (64bit) will require more disk overhead. Long keys (256bit) will require more CPU usage and lower disk usage. Keep your key lengths to medium (128bit) sizes to obtain the best performance from the server.
- If using physical systems, use a redundant array of inexpensive disks (RAID) level that is balanced between reliability and improved performance.
The supported features based on the edition of Windows Server 2008.
| Supported Components and Features | Web | Standard | Enterprise | Data Centre |
| Key archival | No | No | Yes | Yes |
| Role Separation | No | No | Yes | Yes |
| Certificate Manager restrictions | No | No | Yes | Yes |
| Delegated enrollment agent restrictions |
No | No | Yes | Yes |
You must prepare your environment before installing AD CS. The prerequisites for an AD CS installation include the following:
- An AD DS forest with at least a forest root domain. Preferably, you will also have a child production domain.
- Computers to run the certificate authorities used in your hierarchy. In the simplest deployment, this will mean at least two computers: one for the root CA and one for the issuing CA. The issuing CA can also host the online responder service and NDES. The issuing CA will require the installation of IIS, but the AD CS installation process will automatically add this feature during installation. Both computers should be members of the production domain.
- Keep in mind that the root CA can run Windows Server 2008 Standard Edition. In addition, it should be disconnected from the network after the installation is complete, for security purposes.
- The enterprise issuing CA will need to run on either Windows Server 2008 Enterprise Edition or Windows Server 2008 Datacenter Edition.
- The root CA needs at least two drives, and the issuing CA should have three drives to store the certificate database and its logs.
- You will need a special user account if you choose to install the NDES service. Create a domain account and make it a member of the local IIS_IUSRS group on each server that will host this service. For example, you could name this account NDESService.
- Client computers, ideally running Windows Vista, to request and obtain certificates.
Right click Roles. Select Add Roles. Click Next. Select Active Directory Certificate Services and click Next. Click Next. Select Certification Authority and click Next. Select Standalone and click Next. Select Root CA and click Next. Select Create a new private key Select Create a new private key and click Next. Select the suggested cryptographic service provider (CSP). Select a key character length of 2048. Select the sha1 hash algorithm for signing certificates issued by this CA and click Next. Create a common name and click Next. Select a suitable validity period and click Next. Select Database and logfile locations and click Next. Review settings and click Install. Click Close. Standalone Root CA is now installed. Disconnect this CA from the network after the Group Policy cycle has been updated, to provide further protection for this server.