Management of AD CS

Active Directory Certificate Services role services are managed by using MMC snap-ins. The following table lists the tools you have used throughout this lessons, most of which are available from within Server Manager.

Use the buttons below to navigate through the lesson

The snap-ins listed in table can be installed by using Server Manager and selecting the AD CS tools under Remote Server Administration Tools.
If the computer from which you want to perform remote administration tasks is running Windows Vista Service Pack 1, you can obtain the Remote Server Administration Tools Pack from the Microsoft Download Center at

Tool Usage Location
Certification Authority To manage a certificate authority. Server Manager
Certificates To manage certificates. This snap-in is installed by default. Custom MMC snap-in
Certificate Templates To manage certificate templates. Server Manager
Online Responder To manage an OR. Server Manager
Certutil To manage PKI functions from the command line. Command prompt
Enterprise PKI To manage the entire PKI infrastructure. Server Manager

As you work with AD CS, you will see that it provides a great amount of information through the Event Log. The following tables list the most common events for AD CS certificate authorities.

Common CA Event IDs

Category Event ID Description
AD CS Access Control 39, 60, 92 Related to insufficient or inappropriate use of permissions.
AD CS and AD DS 24, 59, 64, 91, 93, 94, 106, 107 Related to access (read or write) for AD DS objects.
AD CS Certificate Request (Enrollment) Processing 3, 7, 10, 21, 22, 23, 53, 56, 57, 79, 80, 97, 108, 109, 128, 132 One element for certificate enrollment to succeed is missing: valid CA certificate, certificate templates with proper configuration, client accounts, or certificate requests.
AD CS Certificatio Authority Certificate and Chain Validation 27, 31, 42, 48, 49, 51, 58, 64, 100, 103, 104, 105 Related to availability, validity, and chain validation for a CA certificate.
AD CS Certification Authority Upgrade 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 125, 126 Related to upgrading certificate authorities from an earlier version of Windows to Windows Server 2008 and can indicate configuration options or components that need to be reconfigured.
AD CS Cross-Certification 99, 102 Related to the cross-CA certificates created to establish relationships between the original certificate and the renewed root.
AD CS Database Availability 17 Related to CA database access issues.
AD CS Exit Module Processing 45, 46 Related to the exit module functions: publish or send e-mail notification.
AD CS Key Archival and Recovery 81, 82, 83, 84, 85, 86, 87, 88, 96, 98, 127 Related to key recovery agent certificates, exchange (XCHG) certificates and keys, or that one or all these components are missing.
AD CS Performance Counters Availability 110 Related to performance counters that cannot be started.
AD CS Policy Module Processing 9, 43, 44, 77, 78 Related to problems detected with a policy module.
AD CS Program Resource Availability 15, 16, 26, 30, 33, 34, 35,38, 40, 61, 63, 89, 90 Related to the availability of system resources and operating system components.
AD CS Registry Settings 5, 19, 20, 28, 95 Related to the corruption or deletion of configuration settings in the registry.
AD CS Online Responder 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 29, 31, 33, 34, 35 Related to Online Responder service dependencies.

Enterprise PKI

One of the most useful tools in an AD CS infrastructure is Enterprise PKI, or PKIView from the command line, which is the Enterprise PKI node under Active Directory Certificate Services in Server Manager. Enterprise PKI can be used for several AD CS management activities. Basically, Enterprise PKI gives you a view of the status of your AD CS deployment and enables you to view the entire PKI hierarchy in your network and drill down into individual CAs to quickly identify issues with the configuration or operation of your AD CS infrastructure.

Enterprise PKI is mostly used as a diagnostic and health view tool because it displays operational information about the members of your PKI hierarchy. In addition, you can use Enterprise PKI to link to each CA quickly by right-clicking the CA name and selecting Manage CA. This launches the Certification Authority console for the targeted CA.
From the Actions pane, you can also gain access to the Templates console (Manage Templates) as well as to the Certificate Containers in Active Directory Domain Services (Manage AD Containers). The latter enables you to view the contents of each of the various containers in a directory that is used to store certificates for your PKI architecture.

Backup and Restore AD CS

In Server Manager, expand Roles\ Active Directory Certificate Services\CA Server Name. Right-click the server name, select All Tasks, and choose Back Up CA. Click Next. Select The Private Key And CA Certificate option will protect the certificate for this server. The Certificate Database And Certificate Database Log option will protect the certificates this CA manages. Click Browse for the backup location. This location should be empty. A good choice might be to back up to this local folder and then copy the backup to removable media. Select Folder (This folder was created prior to this exercise) and click OK. Click Next. Assign a strong password to the backup and click Next. Click Finish. The backup has been created. To restore CA data right click the server name. Select All Tasks>Restore CA. In order to restore data the service needs to be stopped, click OK. Click Next. Select data to be restored,  specify or browse to backup location click Next. Type in password and click Next. Click Finish. Service will automatically restart, when backup is complete.