Source Certificate Enrollment Web Services. Destination : DC. Destination: DC. Random port above port All clients requesting certs. Source: Windows 7 client. You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in. Products 72 Special Topics 41 Video Hub Most Active Hubs Microsoft Teams. Security, Compliance and Identity. Microsoft Edge Insider. Azure Databases. The Add Roles and Features Wizard opens. In Select destination server , ensure that Select a server from the server pool is selected.
In Server Pool , ensure that the local computer is selected. Click Next. When you are prompted to add required features, click Add Features , and then click Next. In Confirm installation selections , click Install. Do not close the wizard during the installation process. When installation is complete, click Configure Active Directory Certificate Services on the destination server.
Read the credentials information and, if needed, provide the credentials for an account that is a member of the Enterprise Admins group. On the Specify the type of the private key page, verify that Create a new private key is selected, and then click Next. Large key character lengths provide optimal security; however, they can impact server performance and might not be compatible with legacy applications. I will try and re-phrase to help clarify my confusion as I could also be wrong with my thought process.
The top heading of the site does indicate AD CS, but every comment in the matrix refers specifically to the role not all roles.
Its possible the article is speaking to all AD CS roles and the author did not provide context, but because they choose to only call out a specific role it seems specific to that. Am I wrong? Question 1: From clients computers - source , what ports are required to be opened on the Subordinate CA destination?
Question 2: As you mentioned TCP was not listed in the above article and should be based on all the other articles we've read, so can you clarify the following? Is this correct? The call is being made over the single port as I understand it so we would not want to open the Root and Subordinate CAs entire port range of I would think. I do have a two follow up questions regarding an online Root CA in the two tier configuration if I may.
Thanks again for the feedback. Thank you again for your insight and responses. The purpose for us is more so an anchor I believe and we understand that there really is not much security benefit without it being offline.
Thank you for calling it out. Understanding that clients would never talk to the Root CA unless single tier , should one be online as in our case, would we need to delete the "Certificate Templates" folder contents to prevent it from automatically responding to client requests? We just want to make sure only the Issuing CA is providing and responding to client requests. Thanks again Mark and Amy. This thread has confirmed a few things that have been difficult to locate.
Office Office Exchange Server. Not an IT pro? Windows Server TechCenter. Sign in. United States English.
0コメント