Management of AD CS
Active Directory Certificate Services role services are managed by using MMC snap-ins. The following table lists the tools you have used throughout this lessons, most of which are available from within Server Manager.
Use the buttons below to navigate through the lesson
The snap-ins listed in table can be installed by using Server Manager and selecting the AD CS tools under Remote Server Administration Tools.
If the computer from which you want to perform remote administration tasks is running Windows Vista Service Pack 1, you can obtain the Remote Server Administration Tools Pack from the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkID=89361.
| Tool | Usage | Location |
| Certification Authority | To manage a certificate authority. | Server Manager |
| Certificates | To manage certificates. This snap-in is installed by default. | Custom MMC snap-in |
| Certificate Templates | To manage certificate templates. | Server Manager |
| Online Responder | To manage an OR. | Server Manager |
| Certutil | To manage PKI functions from the command line. | Command prompt |
| Enterprise PKI | To manage the entire PKI infrastructure. | Server Manager |
As you work with AD CS, you will see that it provides a great amount of information through the Event Log. The following tables list the most common events for AD CS certificate authorities.
Common CA Event IDs
| Category | Event ID | Description |
| AD CS Access Control | 39, 60, 92 | Related to insufficient or inappropriate use of permissions. |
| AD CS and AD DS | 24, 59, 64, 91, 93, 94, 106, 107 | Related to access (read or write) for AD DS objects. |
| AD CS Certificate Request (Enrollment) Processing | 3, 7, 10, 21, 22, 23, 53, 56, 57, 79, 80, 97, 108, 109, 128, 132 | One element for certificate enrollment to succeed is missing: valid CA certificate, certificate templates with proper configuration, client accounts, or certificate requests. |
| AD CS Certificatio Authority Certificate and Chain Validation | 27, 31, 42, 48, 49, 51, 58, 64, 100, 103, 104, 105 | Related to availability, validity, and chain validation for a CA certificate. |
| AD CS Certification Authority Upgrade | 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 125, 126 | Related to upgrading certificate authorities from an earlier version of Windows to Windows Server 2008 and can indicate configuration options or components that need to be reconfigured. |
| AD CS Cross-Certification | 99, 102 | Related to the cross-CA certificates created to establish relationships between the original certificate and the renewed root. |
| AD CS Database Availability | 17 | Related to CA database access issues. |
| AD CS Exit Module Processing | 45, 46 | Related to the exit module functions: publish or send e-mail notification. |
| AD CS Key Archival and Recovery | 81, 82, 83, 84, 85, 86, 87, 88, 96, 98, 127 | Related to key recovery agent certificates, exchange (XCHG) certificates and keys, or that one or all these components are missing. |
| AD CS Performance Counters Availability | 110 | Related to performance counters that cannot be started. |
| AD CS Policy Module Processing | 9, 43, 44, 77, 78 | Related to problems detected with a policy module. |
| AD CS Program Resource Availability | 15, 16, 26, 30, 33, 34, 35,38, 40, 61, 63, 89, 90 | Related to the availability of system resources and operating system components. |
| AD CS Registry Settings | 5, 19, 20, 28, 95 | Related to the corruption or deletion of configuration settings in the registry. |
| AD CS Online Responder | 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 29, 31, 33, 34, 35 | Related to Online Responder service dependencies. |
Enterprise PKI
One of the most useful tools in an AD CS infrastructure is Enterprise PKI, or PKIView from the command line, which is the Enterprise PKI node under Active Directory Certificate Services in Server Manager. Enterprise PKI can be used for several AD CS management activities. Basically, Enterprise PKI gives you a view of the status of your AD CS deployment and enables you to view the entire PKI hierarchy in your network and drill down into individual CAs to quickly identify issues with the configuration or operation of your AD CS infrastructure.
Enterprise PKI is mostly used as a diagnostic and health view tool because it displays operational information about the members of your PKI hierarchy. In addition, you can use Enterprise PKI to link to each CA quickly by right-clicking the CA name and selecting Manage CA. This launches the Certification Authority console for the targeted CA.
From the Actions pane, you can also gain access to the Templates console (Manage Templates) as well as to the Certificate Containers in Active Directory Domain Services (Manage AD Containers). The latter enables you to view the contents of each of the various containers in a directory that is used to store certificates for your PKI architecture.
Backup and Restore AD CS
In Server Manager, expand Roles\ Active Directory Certificate Services\CA Server Name. Right-click the server name, select All Tasks, and choose Back Up CA. Click Next. Select The Private Key And CA Certificate option will protect the certificate for this server. The Certificate Database And Certificate Database Log option will protect the certificates this CA manages. Click Browse for the backup location. This location should be empty. A good choice might be to back up to this local folder and then copy the backup to removable media. Select Folder (This folder was created prior to this exercise) and click OK. Click Next. Assign a strong password to the backup and click Next. Click Finish. The backup has been created. To restore CA data right click the server name. Select All Tasks>Restore CA. In order to restore data the service needs to be stopped, click OK. Click Next. Select data to be restored, specify or browse to backup location click Next. Type in password and click Next. Click Finish. Service will automatically restart, when backup is complete.
