return to top
The configuration that you will prepare will consist of two AD DS forests: corp.contoso.com (created using the Base Configuration) and Litwareinc.com, created in this TLG mini-module. In the prerequisite configuration you will install a two-tier public key infrastructure (PKI) hierarchy as well as configure Certificate Enrollment Web Services. Ultimately, you will have two AD DS forests and will see how to enroll for computer certificates between them. You will also be able to test a new feature added to Windows Server 2012 and Windows 8 called key-based renewal. The computer certificates you obtain will be for the computers in the Litwareinc.com forest. There is no need to have a forest trust between the two forests.
Litwareinc.com will be the forest that has a web server to which you will deploy an SSL certificate from APP1.corp.contoso.com. To get to that point, you must first create the new forest and DNS structure.
To install the operating system on Litwareinc-DC1
Next, configure the TCP/IP protocol with a static IP address of 10.0.0.7 and the subnet mask of 255.255.255.0. To configure TCP/IP on Litwareinc-DC1
The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. Note that the "Ethernet" interface name may be different on your computer. Use the ipconfig /all command to list the interfaces. New-NetIPAddress 10.0.0.7 -InterfaceAlias "Ethernet" -PrefixLength 24 Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 127.0.0.1 Rename-Computer Litwareinc-DC1 Restart-Computer return to top
To configure DC1 as a domain controller and DNS server
The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. Install-WindowsFeature AD-Domain-Services -IncludeManagementTools Install-ADDSForest -DomainName litwareinc.com return to top
To create a user account in AD DS
The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. Long command lines are indented for readability. Note that the first command results in a prompt to supply the User1 account password. New-ADUser -SamAccountName User1 -AccountPassword (read-host "Set user password" -assecurestring) -name "User1" -enabled $true -PasswordNeverExpires $true -ChangePasswordAtLogon $false Add-ADPrincipalGroupMembership -Identity "CN=User1,CN=Users,DC=litwareinc,DC=com" -MemberOf "CN=Enterprise Admins,CN=Users,DC=litwareinc,DC=com","CN=Domain Admins,CN=Users,DC=litwareinc,DC=com" return to top
Litwareinc-Web1 will be configured as a web server in the litwareinc.com domain. Litwareinc-Web1 will be used to make certificate requests from the issuing CA in corp.contoso.com: APP1.
Next, install the operating system on Litwareinc-Web1. To install the operating system on Litwareinc-Web1
Next, configure the TCP/IP protocol with a static IP address of 10.0.0.8 and the subnet mask of 255.255.255.0.
The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. Long command lines are indented for readability. The "Ethernet" interface name may be different on your computer. Use ipconfig /all to list the interfaces. New-NetIPAddress 10.0.0.8 -InterfaceAlias "Ethernet" -PrefixLength 24 Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 10.0.0.7 return to top
To join Litwareinc-Web1 to the Litwareinc domain
The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. You must supply the User1 account domain credentials after entering the Add-Computer command. Add-Computer -NewName Web1 -DomainName litwareinc.com -Credential litwareinc\user1 restart-computer return to top
Next, install the Web Server (IIS) role to make Litwareinc-Web1 a web server. To install the Web Server (IIS) server role 1. Sign-in as User1 in the Litwareinc domain. In the Dashboard console of Server Manager, click Add roles and features. 2. Click Next three times to get to the server role selection screen. 3. In the Select Server Roles page, select Web Server (IIS), and then click Next. 4. Click Next three times to accept the default Web Server role settings, and then click Install. 5. Allow the installation to complete, and then click Close. The following Windows PowerShell command, run at an administrator-level Windows PowerShell command prompt, performs the same function as the preceding procedure. Install-WindowsFeature Web-WebServer -IncludeManagementTools return to top
To ensure name resolution between the AD DS forests, you must configure DNS selective forwarding between the DNS servers of each forest.
To configure DNS Conditional Forwarding for the corp.contoso.com domain:
The following Windows PowerShell command, run at an administrator-level Windows PowerShell command prompt, performs the same function as the preceding procedure. Add-DnsServerConditionalForwarderZone -Name litwareinc.com -MasterServers 10.0.0.7 return to top
To configure DNS conditional forwarding for the litwareinc.com domain:
The following Windows PowerShell command, run at an administrator-level Windows PowerShell command prompt, performs the same function as the preceding procedure. Add-DnsServerConditionalForwarderZone -Name corp.contoso.com -MasterServers 10.0.0.1 return to top
In this section of the lab you will use Litwareinc-Web1 to cross the forest boundary and obtain an SSL certificate from the CA in corp.contoso.com.
Next, you will enroll for an SSL certificate from APP1.corp.contoso.com using Litwareinc-Web1
The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. Get-Certificate -template InternetServer -Url "https://cep1.corp.contoso.com/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP" -SubjectName "CN=Litwareinc-Web1" -DnsName "litwareinc-Web1.litware.com" -Credential (Get-Credential) -CertStoreLocation "cert:\LocalMachine\My" return to top
Next, you will use APP1 in the corp.contoso.com domain to issue the certificate. To issue the certificate:
Next, retrieve the certificate using Litwareinc-Web1 To retrieve the certificate
The following Windows PowerShell commands, run at an administrator-level Windows PowerShell command prompt, perform the same function as the preceding procedure. Cd Cert:\LocalMachine\Request Dir | Get-Certificate -Credential (Get-Credential) So far this lab has demonstrated how to get a certificate from a CA in one forest to a client computer in another forest. However, it has yet to cover the case of renewal. You can certainly renew the certificate manually using the Certificates snap-in or the Windows PowerShell commands. However, you can also configure the computer to utilize key-based renewal using the certificate that it already has in order to renew its certificate. You can do this by configuring Group Policy on the local computer or even on the domain controller to allow for certificate enrollment. The following sections describe how to implement this using the SSL Certificate Policy that was created earlier. return to top
Maheshkumar S Tiwari edited Revision 8. Comment: Added tags
Kurt L Hudson edited Revision 6. Comment: fixed a small typo
Kurt L Hudson edited Revision 5. Comment: Finished the initial write-up for this lab!
Kurt L Hudson edited Revision 4. Comment: trying to save it again
Kurt L Hudson edited Revision 2. Comment: Still working on this, but I need to check out something before I proceed.
Kurt L Hudson edited Revision 1. Comment: Getting further with the content, but still a work in progress!
Kurt L Hudson edited Original. Comment: Just working on the first couple of sections - frequent saves IN Progress