Windows Server 2008 R2 CA setup for LDAP over SSL.

Windows Server 2008 R2 Domain Controller has been setup previously as a CA root for the domain. Initially the install was configured as Standalone. I have performed the process of backup CA keys, config, uninstall, reboot, reinstall CA as Enterprise, then restore CA keys, config. As I understand it, LDAPS should be enabled by default for an Enterprise root CA. The reinstall did not enable LDAPS, as far as I can tell. Running ldp.exe to connect to port 636 does not allow connection.

I have been thinking on just creating a subordinate CA on another server, though unsure about this being the solution due to issue at root CA.

Thanks!
Tech ManAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
No need to create subordinate CA when you already have enterprise root CA
U can confirm same from CA console, are you able to locate certificate templates in CA console, then it is enterprise CA
have you tried to telnet server on 636 port?

To work with LDAPS, you need some prerequisites like certificate subject name must be same as domain controller FQDN, usually domain controller / Kerberos authentication certificate will do
Also you need to attach that certificate to directory services if you wanted to very specific
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

It should work
Tech ManAuthor Commented:
Cert templates do not show up in CA console, which I thought was odd. Maybe I need to uninstall and reinstall again to fix? No I have not tried to telnet to port 636. I'll try later today.

I do believe that the cert subject name is correct, though I'll check to be sure.

Thanks!
Tech ManAuthor Commented:
I have already read the info at the link. The article states that LDAPS should be enabled, when CA Enterprise installed. So this concerns me that something may be wrong with the install. I know that I selected Enterprise CA. Unfortunately I have not found anything in logs to reveal a problem. Reason that I am reaching out now.

Thanks!
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Tech ManAuthor Commented:
Telnet to server on port 636 yields no response. Pressing 'enter' key drops back to cmd prompt.

Subject name of CA cert is CN=test-SVR-DC01-CA, DC=test, DC=domain.

Thanks!
MaheshArchitectCommented:
If templates are not showing, it means it is still standalone root CA
No need to install enterprise root CA only for LDAPS, U Can get cert from 3rd party CA as well if domain name is public
Try to reinstall CA with enterprise option again
Also u can try latching cert to directory services personnel store as stated in article
ChethanTechnical SpecialistCommented:
Are you getting any error inside the server manager console when you click on Certificate templates node in CA server.
Tech ManAuthor Commented:
Mahesh: domain is private. LDAPS is only needed to allow Citrix Netscaler to authenticate users with AD. I'll do the CA install again, and read some more. Thanks!

Chethan: The folder for Cert Templates is not displayed in CA console. They are only accessible via MMC Cert Templates. Thanks!
Tech ManAuthor Commented:
I finally had time to uninstall Cert Srvcs. A reboot of the server afterward, and then reinstall Cert Srvcs using the existing key a couple of days later. The CA Template folder is now showing up in CA console. Looks like it worked this time.

I did back up the database, certificate, key and registry config prior to the uninstall. Do I proceed with the restore of the database and registry config?

I'll be testing on Friday.

Thanks!
MaheshArchitectCommented:
yes
Incase of registry before restore ensure if it contains CA type as standalone,  make it enterprise and verify dB and log path and match it tr o current one

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tech ManAuthor Commented:
Thanks for the help. All is looking good now. db restored, registry config restored after comparing the previous with the current, and changing the CAType and WebClientCAType to '0' from '3'. Run ldp.exe,  connect using port 636 & SSL Connection works. Much appreciated.

G'Day!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.