Skip to main content
Skip table of contents

Part 1: Configure Active Directory Domain Services

The following sections cover administrating Active Directory Domain Services and include instructions on how to install and configure Active Directory Domain Services, create service accounts, and add hosts to the DNS service:

In the examples below, the Active Directory Domain Services hostname is dsserver.yourcompany.com. The text enclosed in angle brackets should be replaced with names in your environment.

Step 1 - Install Active Directory Domain Services

The following covers how to install the Active Directory Domain Services.

If an Active Directory environment already exists, continue to Part 1: Configure Active Directory Domain Services#Step 2 - Create Service Accounts to create service accounts.

Install Active Directory Domain Services

To install Active Directory Domain Services:

  1. Assign a static IP address for this host.

  2. Give the Host an appropriate computer name, in this example <dsserver>.
  3. Open the Server Manager, click Add roles and features, and then click Next.

  4. Select Role-based or feature-based installation and then click Next.
  5. Select Select a server from the server pool, select this server, and then click Next.
  6. Select Active Directory Domain Services.
  7. When prompted to add required features, click Add Features.
  8. Proceed to the Confirmation page and click Install.
  9. When the installation completes, click Close.

Configure Active Directory Domain Services

To configure Active Directory Domain Services:

  1. From Server Manager notifications a new task will be shown, click Promote this server to a domain controller.
  2. Set the deployment operation to Add a new forest.
  3. Enter the root domain name <yourcompany.com> (recommendation lower case) and click Next.
  4. Enter the Directory Services Restore Mode (DSRM) password <PASSWORD>, confirm the password, and then click Next.
  5. When prompted with the warning "A delegation for this DNS server cannot be created", click Next.
  6. Verify that the NetBIOS domain name is set to <YOURCOMPANY>, and then click Next.
  7. When prompted with the warning "A delegation for this DNS server cannot be created", click Next.
  8. Verify that the NetBIOS domain name is set to <YOURCOMPANY>, and then click Next.
  9. Enter a location for the database, log files, and sysvol folders, and then click Next.
  10. Review your selections and click Next.
  11. Verify that all prerequisite checks passed successfully, then click Install.
  12. When the installation completes, close the window and the server will be rebooted.

Step 2 - Create Service Accounts

To create service accounts:

  1. Open the Server Manager and select Tools > Active Directory Users and Computers.

  2. Navigate to <yourcompany.com> and select Users.
  3. Click Action > NewUser and add the following service accounts:
    1. Add a service account with user login name (ra-service) and set the password to never expires. This account will be used for the EJBCA CEP and CES Servlets.
    2. Add a service account with user login name (autoenrollmentbind) and set the password to never expires. This account will be used for the Active Directory Bind account.
  4. Add the account (autoenrollmentbind) as a member of the Cert Publishers group.
    (warning) For simplicity, a single service account can be used for all permissions to reduce complexity when working on active directory permissions. If using a single service account, add this single account to all areas outlined going forward.
    (warning) Do not add the service account to the Protected Users Security Group. Adding the service account to the Protected Users Security Group will break LDAP Bind which is required for EJBCA to connect to Active Directory for syncing the certificate templates.

Step 3 - Add Hosts to DNS Service

To add hosts to the DNS service, perform the following steps:

  1. Open the Server Manager and select Tools > DNS.

  2. Expand your server name on the left-hand side, navigate to Forward Lookup Zone > yourcompany.com and specify the following:
    1. Add a new host type (A) to EJBCA servers.
  3. Increment the serial number of Start of Authority (SOA)

Step 4 - Install Active Directory Certificate Services Tool

To install Certificates Services tools, perform the following steps:

  1. Open the Server Manager and select Manage > Add Roles and Features.

  2. The Add Roles and Features Wizard will open, Select Next.
  3. Select Role-based or feature-based installation and then click Next.
  4. Select Select a server from the server pool, select this server, and then click Next.
  5. Click Next to move to Features.
  6. Expand Remote Server Administration Tools.
  7. Expand Role Administration Tools.
  8. Select Active Directory Certificates Services Tools, then click Next.
  9. Proceed to the Confirmation page and click Install.
  10. When the installation completes, click Close.

Next: Group Policies and Certificate Templates

Next, find instructions on how to install and configure Certificate Enrollment Policies and the Policy Server in Part 2: Group Policies and Certificate Templates.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.