Wikis - Page Details

First published by Kurt L Hudson MSFT
When: 5 Oct 2010 12:35 PM
Last revision by Payman Biukaghazadeh (eMicrosoft Community Contributo)
When: 20 May 2013 8:32 PM
Revisions: 10
Comments: 9

Options

Can You Improve This Article?

Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.

How to Configure a Static DCOM Port for AD CS

To configure the Active Directory Domain Services (AD CS) certification authority (CA) service (CertSvc) to listen on a static DCOM port
If you also want to disable the RPC Interface on the computer running the CertSvc
Additional information

To configure the Active Directory Domain Services (AD CS) certification authority (CA) service (CertSvc) to listen on a static DCOM port

Log on with an account that has local administrator permission on the CA
Open the Component Services snap-In (dcomcnfg.exe).
In the left pane of the Component Services snap-In, expand Component Services, Computers, My Computer, and then DCOM Config.
In the right pane, select CertSrv Request.
On the Action menu, click Properties.
On the Endpoints tab, click Add.
Select Use static endpoint, enter an unused TCP port number, for example, 4000, and then click OK twice.
Close the Component Services snap-In.
Restart the certification authority service.
net stop certsvc
net start certsvc

Return to contents

If you also want to disable the RPC Interface on the computer running the CertSvc

Important
You may not need to perform this step in order to make requests using an alternate port. For example you could potentially use certreq -submit allows the -rpc option (be sure to use lowercase with that option). You may not be able to edit the properties of CertSrv Request by default, since the registry key may be owned by Trusted Installer. In this case, you need to take ownership of HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3} and grant Administrators full control to the registry key.

Important

You may not need to perform this step in order to make requests using an alternate port. For example you could potentially use certreq -submit allows the -rpc option (be sure to use lowercase with that option).
You may not be able to edit the properties of CertSrv Request by default, since the registry key may be owned by Trusted Installer. In this case, you need to take ownership of HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3} and grant Administrators full control to the registry key.

At the command-line prompt, run one of the following commands (both accomplish the same task):
- certutil -setreg ca\interfaceflags +0x8
- certutil -setreg ca\interfaceflags +IF_NORPCICERTREQUEST
The command output lists the flags that are enabled. Verify that IF_NORPCICERTREQUEST is part of the InterfaceFlags in the command output list. If not, try running the command again (use the command that you did not use the first time from the previous step above, also verify that you have the appropriate permissions, as mentioned in the Important note above).
Restart the certification authority service.

Note
The CA will not change listening ports until the first certificate request comes in, so do not expect that you will see the port change in NETSTAT or other tools until that happens.