Install New Standalone CA Server

1. On the CA server go to server manager.
2. Add roles.
3. Select roles to install:
   1. Active directory Certificate Services.
   2. File services.
   3. Web server IIS.
4. Next.
5. On introduction to active directory … window click next.
6. On select role services window choose:
   1. Certification authority.
   2. Certification authority web enrollment.
7. Next.
8. For setup type choose standalone.
9. For CA type choose root CA.
10. For private key choose create a new private key.
11. For cryptography Configure RSA 2048 Cryptography for CA (Default).
12. For CA name type company-CA or whatever you like.
13. Set validity period for the CA certificate in years.
14. For Configure certificate database – leave the default.
15. For select role services leave Default and click next.
16. Install.
17. If you want to increase the validity of the certificates that the CA produces:
18. Regedit>local_machine>system>CurrentControlSet>Services>certSvc>configuration>CA_Server_Name.
19. Change the ValidityPeriodUnits Value Data to the numbers of years you want.

Set Windows Time Service

By default, Windows-based computers use the following hierarchy:

• All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
• All member servers follow the same process that client desktop computers follow.
• All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
• All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.

We can set windows time service to sync with External Source.

External source can be NTP server in the word or a domain member.

To set windows time service to sync with NTP server in the word:

• To set windows servers registry for non-domain server or PDC:

• To set windows servers registry for domain member:

• Useful commands:
• w32tm /query /source – display the time source.
• w32tm /config /update – causing the configuration changes to take effect.
• net stop w32time – stop the time service.
• net start w32time – start the time service.
• w32tm /stripchart /computer: uk.pool.ntp.org – view offset chart VS specific source (in this case Vs uk.pool.ntp.org).

sources:

http://support.microsoft.com/kb/816042

http://support.microsoft.com/kb/223184

http://technet.microsoft.com/en–us/library/cc773263(WS.10).aspx#w2k3tr_times_tools_dyax

http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

How To Create And Install A Server Certificate From A Stand Alone CA

 

1. Open IIS manager
2. Click on the server name
3. Double click Server Certificates
4. On the action panel click create certificate request
5. On the request certificate window:
6. Enter common name which can be *company.com.
7. Enter organization which is the company name.
8. Enter OU like “IT”.
9. Enter city location.
10. Enter state.
11. Enter country like US or IL (only 2 letters).
12. On the cryptographic windows leave the defaults which is Microsoft RSA… and 1024 bit length.
13. On the file name window enter the file name for the “request cert” file and save it.
14. Click finish.
15. Go to the CA server.
16. Go the CA role.
17. Right click the CA server.
18. Choose all tasks.
19. Submit request.
20. Choose and open the request file that you created before – “wildcard-request.txt”
21. Now you will find the request pending on the CA server.
22. Right click the pending certificate.
23. Choose all tasks.
24. Choose issue.
25. After issuing the certificate you will see it under issued certificates.
26. Right click on the issued certificate.
27. Choose all tasks.
28. Choose export binary data.
29. On the export binary data window mark save binary data to file.
30. Set a file name .cer and location for the binary file.
31. This is how the exported certificate look like:
32. Open IIS manager.
33. Click on the server name.
34. Double click on server certificates.
35. On the action panel click on complete certificate request.
36. On file name containing the certification… brows to select the server certificate.
37. Choose a friendly name with * (wildcard) so they can serve all web sites.
38. Right click on the web site that you want to bind the certificate.
39. Choose edit binding.
40. Click add 
41. Choose type https.
42. Enter host name the same name as the web site.
43. Click ok.

Upgrade To Power Shell 3.0 Version

Check which Power Shell version is already installed on the server with command $PSVersionTable

if it is power shell 2.0 then:

• Install Microsoft .NET Framework 4.5
• Install PowerShell 3.0

If it is PowerShell 1.0 than:

• Install Microsoft .NET Framework 3.5 sp1
• Install PowerShell 2.0
• Install Microsoft .NET Framework 4.5
• Install PowerShell 3.0