How to Configure a Static DCOM Port for AD CS

How to Configure a Static DCOM Port for AD CS

To configure the Active Directory Domain Services (AD CS) certification authority (CA) service (CertSvc) to listen on a static DCOM port

  1. Log on with an account that has local administrator permission on the CA
  2. Open the Component Services snap-In (dcomcnfg.exe).
  3. In the left pane of the Component Services snap-In, expand Component Services, Computers, My Computer, and then DCOM Config.
  4. In the right pane, select CertSrv Request.
  5. On the Action menu, click Properties.
  6. On the Endpoints tab, click Add.
  7. Select Use static endpoint, enter an unused TCP port number, for example, 4000, and then click OK twice.
  8. Close the Component Services snap-In.
  9. Restart the certification authority service.
        net stop certsvc
        net start certsvc

Return to contents

If you also want to disable the RPC Interface on the computer running the CertSvc

 Important
  • You may not need to perform this step in order to make requests using an alternate port. For example you could potentially use certreq -submit allows the -rpc option (be sure to use lowercase with that option).
  • You may not be able to edit the properties of CertSrv Request by default, since the registry key may be owned by Trusted Installer. In this case, you need to take ownership of HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3} and grant Administrators full control to the registry key
  1. At the command-line prompt, run one of the following commands (both accomplish the same task):
    • certutil -setreg ca\interfaceflags +0x8
    • certutil -setreg ca\interfaceflags +IF_NORPCICERTREQUEST 
  2. The command output lists the flags that are enabled. Verify that IF_NORPCICERTREQUEST is part of the InterfaceFlags in the command output list. If not, try running the command again (use the command that you did not use the first time from the previous step above, also verify that you have the appropriate permissions, as mentioned in the Important note above).
  3. Restart the certification authority service.
 Note
The CA will not change listening ports until the first certificate request comes in, so do not expect that you will see the port change in NETSTAT or other tools until that happens.

Return to contents


Additional information

This article originates from the Security Forum discussion from 2008 R2 CA not using static DCOM port

Return to contents
Leave a Comment
  • Please add 3 and 2 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Kurt L Hudson MSFT edited Revision 7. Comment: Reworked the article based on Senior Developer comments and PFE questions

  • Ed Price MSFT edited Revision 6. Comment: Updated title to cap standards.

  • Kurt Hudson MSFT edited Revision 5. Comment: Expanded tags

  • Kurt Hudson MSFT edited Revision 3. Comment: changed command font to tahoma, marked UI interfaces appropriately bolded UI text

  • Kurt Hudson MSFT edited Revision 2. Comment: Updated navigation with TOC and links to subsections.

  • Kurt Hudson MSFT edited Revision 1. Comment: Continuing with updates - mostly formatting

  • Kurt Hudson MSFT edited Original. Comment: further updates

Page 1 of 1 (7 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Kurt Hudson MSFT edited Original. Comment: further updates

  • Kurt Hudson MSFT edited Revision 1. Comment: Continuing with updates - mostly formatting

  • Kurt Hudson MSFT edited Revision 2. Comment: Updated navigation with TOC and links to subsections.

  • Kurt Hudson MSFT edited Revision 3. Comment: changed command font to tahoma, marked UI interfaces appropriately bolded UI text

  • Kurt Hudson MSFT edited Revision 5. Comment: Expanded tags

  • Ed Price MSFT edited Revision 6. Comment: Updated title to cap standards.

  • Some details were not included here from the original thread:

    1) You may not be able to edit the properties of "CertSrv Request" by default, since the registry key may be owned by "Trusted Installer". In this case, you need to take ownership of HKLM\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3} and grant Administrators full control to the registry key

    2) After making these changes, the specified port will not be open on the certificate server until the RPC is requested by a client

  • Kurt L Hudson MSFT edited Revision 7. Comment: Reworked the article based on Senior Developer comments and PFE questions

  • Revision: edited tags

Page 1 of 1 (9 items)