Table of Contents Clustering the certification authority Lab environmentPrerequisites specific to ContosoUnderstanding naming conventions in certification authority clusteringAction Items Move the certification authority database to shared disk Verify the certification authority’s new database and log locationInstall Active Directory Services on the second CA cluster node Verify and Document the Active Directory Certificate Services (AD CS) DNS NameStop Active Directory Certificate Services on Node1Confirm that the shared disk is available to Node2.Confirm that the network HSM is available to Node2.Import the CA certificate into the local computer certificate store.Associate the CA certificate with the key material stored i n an HSMInstall the certification authority role on Node2Setup failover clustering Setup failover clustering on Node1 and Node2Configure AD CS as a cluster resourceCreate a dependency between the certification authority and the Network HSM servicePost configuration tasks in Active Directory Domain Services (ADDS) Enable both cluster nodes to update the CA certificate when required.Give both nodes permissions on the Enrollment containerGive both nodes permissions on the KRA containerAdjust the certification authority’s DNS Name in Active Directory Domain Services (ADDS)Adjust the certification authority’s DNS name in any application requesting certificates from the original nodeCopy CAPolicy.inf file from original node Node1 to passive node Node2
This document details the required steps to cluster an existing certification authority running on Windows Server 2008 R2 Enterprise Edition to provide fault tolerance and high availability for the service. This document was tested in a lab environment and should be tested in a lab environment. For more information on
The document assumes certain prerequisites and highlights risks associated with clustering a certification authority. The sections are divided into task required to achieve this goal. Some tasks such as configuring the Hardware Security Module (HSM) are added with minor detail to this document because they are carried out by the organization’s IT Security team.
The following list describes the configuration of the lab environment:
Active Directory Domain: Contoso.com
Certification authority: Active Directory Certificate Services (AD CS) Certification Authority role service is installed and configured on a member server Node1.contoso.com
Certification authority name: The certification authority’s sanitized name isContoso Issuing CA
Additional Servers: Node2.contoso.com is the new AD CS certification authority server joined to domain, with the exact build, patch and driver levels as Node1.contoso.com. The server will be configured as the second node in a certification authority cluster
Distribution Points: The certificate revocation list (CRL) distribution point (CDP) and and authority information access (AIA) locations are configured point to a member server. CDP/AIA locations are not configured to point to the CA
Contoso will configure enterprise issuing certification authorities and then configure them in a certification authority cluster when the additional nodes are provisioned. The following prerequisites should be in place before attempting certification authority clustering
Before you begin, you should plan the names to use during the installation procedure. It is important to properly define these names because they are used throughout the configuration.
The following named items are used in the subsequent sections and step-by-step procedures.
Cluster node: This represents the computer’s host name participating in the cluster. In this document, the cluster nodes refer to Node1.contoso.com and Node2.contoso.com. Both nodes are permitted access to the Authority Information Access (AIA) – CAName, Enrollment Services - CAName, and KRA - CAName objects in Active Directory using Access Control Lists (ACLs). As an example, both nodes Node1 and Node2 are permitted to update the Contoso Issuing CA object in the AIA, Enrollment Services, and KRA containers in Active Directory by giving them full control access.
Cluster: The failover cluster has a unique name that is registered in Active Directory Domain Services (AD DS) and Domain Name Services (DNS). This name refers to the cluster name in the failover cluster management snap-in and not the clustered certification authority. There is no dependency between the cluster configuration and the clustered certification authority. In this document, the cluster name is cluster. Contoso can choose any name to refer to the cluster name. The cluster name is registered in Active Directory and DNS automatically when it is created by an enterprise administrator
Service: The service name represents the Domain Name System (DNS) of the clustered CA service, and should be determined before configuring the cluster. This name is independent of the cluster name mentioned earlier. In this document, the service name is ADCS.contoso.com
Registry Key
Old Value
New Value
DBDirectory
C:\Windows\System32\Certlog
R:\Certlog
DBLogDirectory
R:\CertLog
DBSystemDirectory
DBTempDirectory
This section explains how to set up the second cluster node. The configuration of the second node is slightly different from the first node. Some configuration settings are already defined on the first node so they only need to be applied on the second node.
The configuration of the second node includes the following tasks:
The following procedure describes these tasks in greater detail.
Determine the fully qualified domain name (FQDN) to use for the Certification Authority cluster service name. In this document is it ADCS.contoso.com.
This step should be reviewed by the Contoso’s team to follow the procedures required by the HSM vendor to retrieve the key and its associated certificate
This step should be reviewed by the Well Fargo team to follow procedure required by the HSM vendor to associate the CA’s certificate with the key material and the new node Node2
|Note: if you change the path to the shared disk, then you will overwrite the contents of the database and logs. This in turn will create an empty database. You will change the path in the registry to point to the original database
|Note: Make sure all cluster verification tests complete with The Test Passed results before you proceed
You need to complete three procedures to configure the CA in AD DS:
When the CA service was installed on the first cluster node, it created the Enrollment Services object and put its own fully qualified domain name (FQDN) into that object. Since the CA can operate on both cluster nodes, the DNS host name of the Enrollment Services object needs to be changed to the service name of the CA configured in Configure AD CS as a cluster resource
Any system requesting certificates programmatically from the original certification authority node needs to update the dNSHostName property to request certificates from the clustered CA service name configured in Configure AD CS as a cluster resource
This step is required to ensure the certification autority’s renewal settings are the same regardless of which node initiated the request.