Part 1: Active Directory Domain Services

The following sections cover administrating Active Directory Domain Services and include instructions on how to i nstall and configure Active Directory Domain Services, create service accounts, and add hosts to the DNS service:

In the examples below, the Active Directory Domain Services hostname is dsserver.yourcompany.com. The text enclosed in angle brackets should be replaced with names in your environment.

The following highlights the possibility of using multiple services accounts for each service utilized, such as the Certificate Enrollment Services, the Tomcat Servlet, and an Active Directory Bind Account, and separating these pieces onto individual hosts. This method of installation can make the installation very complex from a permissions perspective and is only recommended for advanced users or if you have a very specific need to do it this way. A more straightforward method to install the servlet is to create a single service account and install the PrimeKey Auto Enrollment Servlet on the same host as the Windows Certificate Server host. This can reduce the communication between hosts and simplify the deployment complexity.

Step 1 - Install Active Directory Domain Services

The following covers how to install the Active Directory Domain Services.

If an Active Directory environment already exists, continue to Step 2 - Create Service Accounts to create service accounts.

Install Active Directory Domain Services

To install Active Directory Domain Services:

  1. Assign a static IP address for this host.

  2. Give the Host an appropriate computer name, in this example <dsserver>.

  3. Open the Server Manager, click Add roles and features, and then click Next.

  4. Select Role-based or feature-based installation and then click Next.

  5. Select Select a server from the server pool, select this server, and then click Next.

  6. Select Active Directory Domain Services.

  7. When prompted to add required features, click Add Features.

  8. Proceed until the Confirmation page and click Install.

  9. When the installation completes, click Close.

Configure Active Directory Domain Services

To configure Active Directory Domain Services:

  1. From Server Manager notifications a new task will be shown, click Promote this server to a domain controller.

  2. Set the deployment operation to Add a new forest.

  3. Enter the root domain name <yourcompany.com> and click Next.

  4. Enter the Directory Services Restore Mode (DSRM) password <PASSWORD>, confirm the password, and then click Next.

  5. When prompted the warning "A delegation for this DNS server cannot be created", click Next.

  6. Verify that the NetBIOS domain name is set to <YOURCOMPANY>, and then click Next.

  7. When prompted the warning "A delegation for this DNS server cannot be created", click Next.

  8. Verify that the NetBIOS domain name is set to <YOURCOMPANY>, and then click Next.

  9. Enter a location for the database, log files, and sysvol folders, and then click Next.

  10. Review your selections and click Next.

  11. Verify that all prerequisite checks passed successfully, then click Install.

  12. When the installation completes, close the window and the server will be rebooted.

Step 2 - Create Service Accounts

To create service accounts:

  1. Open the Server Manager and select Tools > Activate Directory Users and Computers.

  2. Navigate to <yourcompany.com> and select Users.

  3. Click Action > New > User and add the following service accounts:

    1. Add a service account with user login name (ces-service) and set the password to never expires. This account will be used for Certificate Enrollment Services.

    2. Add a service account with user login name (servlet-service) and set the password to never expires. This account will be used for the Tomcat servlet.

    3. Add a service account with user login name (autoenrollmentbind) and set the password to never expires. This account will be used for the Active Directory Bind account.

  4. Add the account (autoenrollmentbind) as a member of the Cert Publishers group.
    images/s/-98b7og/8401/7d0034e810b0e95b8c0694abfaf748cf5135c15a/_/images/icons/emoticons/warning.svg For simplicity, a single service account can be used for all permissions to reduce complexity when working on active directory permissions. If using a single service account, add this single account to all areas outlined going forward.

Step 3 - Add Hosts to DNS Service

To add hosts to the DNS service, perform the following steps:

  1. Open the Server Manager and select Tools >DNS.

  2. Expand your server name on the left-hand side, navigate to Forward Lookup Zone > yourcompany.com and specify the following:

    1. Add a new host type (A) to EJBCA servers.

    2. Add a new host type (A) to Tomcat servers.

    3. Add a new host type (A) to CS servers.

  3. Increment the serial number of Start of Authority (SOA).