Securing Windows 2000 Server

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Appendix D: Configuring Digital Certificates on Domain Controllers

Published: November 17, 2004 | Updated : May 31, 2006

Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.

Background

Digital certificates can be issued to your domain controllers by any certification authority (CA) that can meet the formatting requirements for the certificates. One way to easily issue digital certificates that are formatted properly is to first configure a Microsoft® Windows® 2000 Enterprise CA (that is, an Active Directory® directory service registered CA), and then configure the domain controller certificates in Active Directory to automatically enroll the domain controllers.

There are at least two reasons for installing digital certificates on domain controllers running Windows 2000 Server or later: to support Simple Mail Transfer Protocol (SMTP) replication, and to support secure Lightweight Directory Access Protocol (LDAP) transactions.

Digital Certificates for SMTP Replication

Active Directory replicates directory information between domain controllers through two protocols: Remote Procedure Call (RPC), which is the default, and SMTP.

Replication by means of RPC is appropriate in most enterprise environments, but SMTP replication is more appropriate between Active Directory sites separated by high latency or low bandwidth network links.

Because SMTP is a cleartext protocol, and because directory replication information is deemed sensitive material, by design SMTP replication can only be initiated if the domain controllers have a way to encrypt the SMTP traffic over the network. The chosen method for encryption is Secure/MIME, or S/MIME, a version of the Multipurpose Internet Mail Extensions (MIME) protocol that supports encryption of messages. Windows 2000 requires digital certificates on each domain controller because replication can and does occur in either direction across a replication link.

All domain controllers that may be enabled for SMTP replication should be enrolled for a domain controller certificate. Each SMTP replication partner is individually configured in the Active Directory Sites and Services Microsoft Management Console (MMC) snap-in, so it should be clear to you which domain controllers require certificates. However, it is often most convenient to simply issue certificates to all domain controllers, especially with Active Directory Group Policy using the auto-enrollment feature to enroll all members of the Domain Controllers organizational unit (OU).

After all the domain controllers are enrolled for digital certificates, any domain controllers that are configured to prefer SMTP replication over Internet Protocol (IP) replication will automatically invoke SMTP replication.

Digital Certificates for Secure LDAP

Windows 2000 domain controllers support LDAP over TCP port 389, which is sent over the network in cleartext. The domain controllers can also support Secure Sockets Layer (SSL) encryption of LDAP over TCP port 636 to encrypt LDAP authentication and to encrypt LDAP data requests and responses. This requirement is very common for enterprise LDAP applications, as the information transmitted over the network by LDAP applications can be very sensitive information—not just the LDAP request/response data, but also the authentication IDs and passwords.

However, before SSL can be enabled for LDAP requests, the domain controller has to have a particular type of digital certificate installed. The digital certificate has to be formatted properly to ensure that LDAP applications operate correctly.

All domain controllers that might make SSL connections should enroll for a domain controller certificate. Some LDAP applications are configured to make LDAP requests to a single LDAP server, so these applications will make requests of the same domain controller each time. Other LDAP applications may be aware of Active Directory. For this reason, any domain controller in a domain or in a forest may receive SSL requests for LDAP. It is a best practice to enroll all domain controllers for domain controller certificates to support the widest range of LDAP application scenarios.

Finally, after the domain controllers are prepared to accept SSL connections, the LDAP applications have to be configured to request SSL connections. domain controllers cannot enforce SSL connections for incoming LDAP requests—the domain controller can only be configured to support SSL for applications that request it.

Installing and Configuring Infrastructure for Domain Controller Certificates

Installing the Enterprise CA

The first phase in this process is to install an Enterprise CA and confirm that the DomainController certificate template is enabled.

If you do not already have an Enterprise CA installed in your Active Directory forest, install an Enterprise CA on a Windows 2000 server that is a member of one of the domains in the Active Directory forest. For more information about installing an Enterprise CA, see the Windows 2000 Server page on TechNet at www.microsoft.com/technet/prodtechnol/windows2000serv/default.mspx.

Confirming Domain Controller Certificate Template Availability

Use the following steps to confirm the domain controller certificate template is available.

To confirm that the domain controller certificate template is available

Open the Certification Authority MMC snap-in on the server.
Double-click the name of your CA (for example, Contoso Enterprise Root CA), then click the Policy Settings folder.
Confirm that DomainController is listed in the right pane.

Configuring Automatic Enrollment

Next you need to configure automatic enrollment in Group Policy for each domain.

To configure automatic enrollment in Group Policy for each domain

In each domain for which you want to enable automatic enrollment for domain controller certificates, open Default Domain Controller Policy using the Group Policy Editor.
Under Computer Configuration, click Windows Settings.
Click Security Settings, and then click Public Key Policies.
Click Automatic Certificate Request Settings.
Right-click the Automatic Certificate Request Settings folder, select New on the context menu, and then click Automatic Certificate Request.
The Automatic Certificate Request Setup Wizard launches. Click Next.
Select the certificate template to use in the request. In this example, you should select Domain Controller, and then click Next.
Select the CA on the Windows 2000 domain to send the certificate request. (In this example, choose the enterprise root CA. An enterprise may have more than one CA.) Click Next.

Note CAs not registered in Active Directory as enterprise CAs will not appear on this list.

Click Finish to create the automatic certificate request. The request for the certificate will take place when the Group Policy object (GPO) is refreshed on the domain controllers.

Assigning Certificate Enrollment Permissions

Finally, you need to assign permission for each Domain Controllers security group of the domain to enroll for the domain controller certificates.

To assign permission for domain controller groups to enroll for domain controller certificates

Start the Active Directory Sites and Services MMC snap-in.
Click the View menu, and then click Show Services Node.
Double-click the Services node and the Public Key Services node, and then Certificate Templates.
Right-click Domain Controller, click Properties, and then click the Security tab.

Note The Domain Controllers group in the CA's domain already has Enroll permission to this template. You will need to assign the Enroll permission to all other Domain Controllers groups from other domains in your forest. Otherwise, those domain controllers will not have permission to successfully request the DomainController certificates, and their attempts to automatically enroll for them will fail.

For each Domain Controllers group from each domain, click the Add button, choose the domain in the Look in drop-down list box, select the Domain Controllers group in that domain, click the Add button, and then click OK.

Testing Digital Certificates for LDAP or SMTP

Testing LDAP Applications That Connect through SSL

When your domain controllers are capable of accepting SSL connections for LDAP requests, each LDAP application will have to be reconfigured to default to SSL communications (TCP port 636).

In this example, the LDAP application is the address book of Microsoft® Outlook® Express. Outlook Express is installed on a Windows 2000 workstation that is not part of the Active Directory forest. This example will help illustrate how the client can be configured to trust the CA that issued the domain controller certificates.

Configuring the Address Book

This procedure only works if a certificate has also been issued to the domain controller from a CA that is trusted by your client. Use the following steps to verify that your domain controller certificate is working properly.

To verify that the domain controller certificate is working properly

After you install the required certificates on the domain controllers, click Start, point to Search, and then click For People.
In the Look in drop-down list box, click Active Directory.
Right-click Active Directory, and then click Properties.
In the Active Directory Properties dialog box, type in the Search Name box the fully qualified domain name of the domain controller to which you want to connect. For example, CDC-01.NORTHAMERICA.CONTOSO.COM.

If you are logged on with a domain account that has permissions to search Active Directory, you can skip this step. Otherwise, provide user credentials for this domain controller in the Account and Password boxes. For example:

Account: domain name\user name

Password: password

Note The domain name is the name of your domain where the account exists, and the user name is the account that you are using to log on. The password must be the password for the account that you are using.

After you have specified the domain controller and the appropriate credentials, click the Advanced tab, and then specify SSL connectivity for LDAP (the port must be configured to 636).
Select a search base that is appropriate to your Active Directory structure. For example, CN=Users,DC=CDC-01,DC=northamerica,DC=corp,DC=contoso,DC=com.
Click OK to close the Active Directory Properties dialog box.

Searching for People in Active Directory

Use the following steps to search for people in Active Directory.

To search for people in Active Directory

In the Find People dialog box, click Active Directory in the Look in drop-down list box.
Click the Advanced tab.
In the define criteria section, select the following criteria for the search:

NAME Contains Administrator
Click Add, and then click Find Now.

Configuring SMTP Replication

If you have not already configured SMTP replication—because it required domain controller certificates on the replicating domain controllers, for example—then you will have to set up the SMTP replication site link between the domain controllers that require this replication.

For more information about configuring SMTP replication, see the "Step-by-Step Guide to Setting up ISM-SMTP Replication" at www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ismsmtp.mspx.

To configure SMTP replication

Start the Active Directory Sites and Services MMC snap-in as a user with permissions to create site links (and, optionally, subnets) and to move domain controllers between sites.
Create a new site—for example, in the Contoso scenario the Boston site was created. Right-click the Sites folder, and then click New Site. Type a name for the site in the Name box (for example, Boston), and then choose a site link object from the list (for example, the DEFAULTIPSITELINK link).
Click OK.
Double-click the Inter-Site Transports folder in the left pane, right-click the SMTP object, and then click New Site Link.
In the Name box, type the name of this site link (for example, East Coast Site Link).
Choose at least two sites to be replicated across this site link (for example, Boston and Default-First-Site-Name), and then click OK.

Verifying Object Connections

Use the following steps to verify object connections.

To verify object connections

Double-click each server object to reveal an NTDS Settings object for each one.
Select each NTDS Settings object, and ensure that there is an NTDS Connection object subordinate to each NTDS Settings object.
1. If you do not see Connection objects below each NTDS Settings object, right-click each NTDS Settings object, select All Tasks, and then click Check Replication Topology. This action forces the Knowledge Consistency Checker (KCC) to check the replication topology, thereby creating a Connection object between the two domain controllers.
Force replication between both domain controllers. Right-click the Connection object subordinate to each NTDS Settings object, and then click Replicate Now.
Refresh the display by pressing F5 or by right-clicking the NTDS Settings object and selecting Refresh. You should now see a Connection object.

Prioritizing SMTP Link Over IP link

Use the following steps to prioritize SMTP link over IP link.

To prioritize SMTP link over IP link

Select SMTP in the Inter-Site Transports container.
In the results pane, select the link object to be configured (that is, the East Coast Site Link object). Right-click this object, and then click Properties.

Note The cost of this site link is 100, which is also the default cost for each site link. For the KCC to favor the SMTP site link over the IP site link, you need to specify a lower cost for the site link called the Default-SMTP-Site-Link object.

Change the cost of the Default-SMTP-Site-Link object to 50 and then click OK. (The cost of the DEFAULTIPSITELINK object can be changed if necessary so that it is more than 50.)
To force replication between both domain controllers, right-click the Connection object subordinate to each NTDS Settings object, and then click Replicate Now.

Requirements for a Domain Controller Certificate

To support secure LDAP or SMTP inter-site Active Directory replication, you must install a certificate on the domain controllers that meets the following requirements:

The digital certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
A private key matching the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
The Enhanced Key Usage extension in the digital certificate includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as the OID).
The Active Directory fully qualified domain name (for example, C01.DOMAIN.COM) of the domain controller must appear in one of the following places:
- The Common Name (CN) in the Subject field.
- The DNS entry in the Subject Alternative Name extension.
The certificate must be issued by a CA that the domain controllers and the secure LDAP clients trust. Trust is established by configuring the clients and the server to trust the root CA that issues the signing certificate for the issuing CA.