This article describes the requirements that you need to fulfill to issue a domain controller certificate from a third-party certification authority (CA).
Applies to: Windows Server 2012 R2 Original KB number: 291010
For more information about the requirements for a Windows Server 2008 R2 domain controller certificate from a third-party CA, see Updated requirements for a Windows Server 2008 R2 domain controller certificate from a 3rd party CA.
Support
Currently, Microsoft supports the use of third-party domain controller certificates with smart card sign-in only.
Currently, Microsoft doesn't support the use of certificates from third-party CAs to support SMTP (Simple Mail Transfer Protocol) replication between domain controllers.
Third-party CAs don't support the automatic enrollment and renewal of domain controller or computer certificates.
Requirements
You can manually issue a certificate to a domain controller. The certificate for the domain controller must meet the following specific format requirements:
The certificate must have a CRL distribution-point extension that points to a valid certificate revocation list (CRL).
Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name), for example: CN=server1.northwindtraders.com OU=Domain Controllers DC=northwwindtraders DC=com
The certificate Key Usage section must contain: Digital Signature, Key Encipherment
Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]
The certificate Enhanced Key Usage section must contain:
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. If SMTP replication is used, the certificate Subject Alternative Name section must also contain the globally unique identifier (GUID) of the domain controller object in the directory. For example: Other Name: 1.3.6.1.4.1.311.25.1 = ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9 DNS Name=server1.northwindtraders.com
The certificate template must have an extension that has the basic metabolic panel (BMP) data value DomainController.
Note
The dsstore.exe -dcmon command does not recognize the certificate without one of these extensions.
You must use the Schannel cryptographic service provider (CSP) to generate the key.
The domain controller certificate must be installed in the local computer's certificate store.
Sample certificate
X509 Certificate:Version: 3Serial Number: 61497f5e000000000006Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 ..Issuer: CN=TestCA DC=northwindtraders DC=comNotBefore: 2/12/2001 3:57 PMNotAfter: 7/10/2001 10:24 AMSubject: CN=TEST-DC1 OU=Domain Controllers DC=northwindtraders DC=comPublic Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: 05 00 ..Public Key Length: 1024 bitsPublic Key: UnusedBits = 0 0000 30 81 89 02 81 81 00 b1 c8 84 ce ea 5c da 96 23 0010 4b d5 07 d7 27 f3 76 1f d3 0f 23 3f 8b fa 8b 68 0020 34 09 47 4a f5 33 41 77 86 d2 d3 a7 34 19 5c 49 0030 43 bf 5a 3c 25 a3 77 69 54 ad 84 af 20 b2 c2 f6 0040 40 f7 82 7f b9 b0 db cb db 76 7c 13 54 8e 3b 5e 0050 9e 92 a2 42 8d 97 db 07 06 cc 5d 7a 95 9f 7f 8b 0060 c1 69 7b 0a 6a e7 8f fa 6b c4 60 23 d4 03 88 45 0070 83 61 2e b2 af a2 f9 69 e2 84 d9 95 01 c4 88 eb 0080 89 16 5a 4d a4 34 27 02 03 01 00 01Certificate Extensions: 9 1.2.840.113549.1.9.15: Flags = 0, Length = 37 SMIME Capabilities [1]SMIME Capability Object ID=1.2.840.113549.3.2 Parameters=02 02 00 80 [2]SMIME Capability Object ID=1.2.840.113549.3.4 Parameters=02 02 00 80 [3]SMIME Capability Object ID=1.3.14.3.2.7 [4]SMIME Capability Object ID=1.2.840.113549.3.7 2.5.29.15: Flags = 0, Length = 4 Key Usage Digital Signature, Key Encipherment (a0) 2.5.29.37: Flags = 0, Length = 16 Enhanced Key Usage Client Authentication (1.3.6.1.5.5.7.3.2) Server Authentication (1.3.6.1.5.5.7.3.1) 1.3.6.1.4.1.311.20.2: Flags = 0, Length = 22 Certificate Template Name DomainController 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier a8 20 ce 65 63 3e cd a1 c8 77 97 44 fa 28 43 71 17 e3 6e 84 2.5.29.35: Flags = 0, Length = 18 Authority Key Identifier KeyID=44 b8 25 f8 d9 53 c5 96 e1 8c 14 d5 e4 5e 33 3a fc 22 7b e7 2.5.29.31: Flags = 0, Length = f8 CRL Distribution Points [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://test-dc1.northwindtraders.com/CertEnroll/TestCA.crl URL=ldap:///CN=TestCA,CN=test-dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=northwindtraders,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint 1.3.6.1.5.5.7.1.1: Flags = 0, Length = 10a Authority Information Access [1]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://test-dc1.northwindtraders.com/CertEnroll/test-dc1.northwindtraders.com_TestCA.crt [2]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=ldap:///CN=TestCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=northwindtraders,DC=com?cACertificate?base?objectClass=certificationAuthority 2.5.29.17: Flags = 0, Length = 3d Subject Alternative Name Other Name: 1.3.6.1.4.1.311.25.1=04 10 96 8e ea d7 ee ba bc 42 81 db 4f 92 f5 88 db 4a DNS Name=test-dc1.northwindtraders.comSignature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00
How to determine the domain controller GUID
Start Ldp.exe and locate the domain-naming context. Double-click the name of the domain controller that you want to view. The list of attributes for that object contains "Object GUID" followed by a long number. The number is the GUID for that object.
At a minimum, you need a 1.4 GHz, 64-bit CPU that supports Second Level Address Translation, 512 MB of RAM -- or 2 GB of RAM when using Desktop Experience -- and 32 GB of disk space. For better performance, especially with larger domains, consider a faster CPU and 4 GB of RAM.
Each Domain controller must have at least 8 GB RAM and a Quad-Core CPU. For an enterprise with more than 2000 and less than 5000 concurrent logged in users per domain, you must have at least 4 Domain Controllers.
Every AD domain must have at least one domain controller. Each DC stores a copy of the directory file, and any changes it makes to that file are replicated to all the other DCs in the domain.
Microsoft's recommended Windows Server 2012 R2 requirements include a single 2 GHz, 64-bit processor core, 2 GB of RAM, a 40 GB disk partition and a standard Ethernet (10/100 Mbps or faster) network connection. The server will also require access to an optical drive, along with access to a keyboard, video and mouse.
For starters, an organization will need a 1.4Ghz 64-bit processor, 512 MB of RAM, and 32 GB of disk space. There will also need to be one Ethernet network adapter with at least one-gigabit throughput.
Typically you would want two domain controllers, one acts as a back up and should be physically separate from the other, i.e. Don't have both in the same VM Host. If you can get remote offices to authenticate on a centrally located DC, then all the better because you will be using less hardware and minimize management.
Best practices call for one primary domain controller and at least one backup domain controller to avoid downtime from system unavailability. Another best practice is to deploy each domain controller on a standalone physical server.
Please note that You need to create additional domain controllers. Each domain needs its own Domain Controller, you cannot create multiple domains using the same domain controller. Each domain in Active Directory is identified by a (DNS) Domain Name System domain name and requires one or more domain controllers.
Domain controllers need additional security mechanisms and infrastructure. Since the domain controller is responsible for user authentication, its failure will cause network damage. The failure of a DC can also cause network damage, which makes it a common target for cyber attackers.
A domain controller is a server that responds to authentication requests and verifies users on computer networks. Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.
Active Directory is a database that stores and organizes enterprise resources as objects. You can think of Active Directory as a database that stores users and device configurations in AD DS. A domain controller, in contrast, is simply a server running Active Directory that authenticates users and devices.
A 1.4 GHz 64 bit processor, 512 MB of RAM, 32 GB of disk space, Super VGA monitor.Keyboard or mouse, Internet access, and a DVD for purposes of installation. These are the minimum requirements to run Server 2012.
The Windows Server 2003 domain functional level is also deprecated because at the functional level, FRS is used to replicate SYSVOL. That means when you create a new domain on a server that runs Windows Server 2012 R2, the domain functional level must be Windows Server 2008 or newer.
The Domain is used to manage access to a set of network resources for a group of users (applications, printers, etc.). This information is stored in a master directory database which resides on a single Windows server on a network. This Windows server is designated as a Domain Controller.
Windows Server Essentials can only be deployed as domain controller. In this document, Windows Server Essentials does not include Windows Server Essentials. Windows Server Essentials does not need to be a primary server within a Windows domain.
Although a DC is a server, it should not be confused with a member server inside the AD environment. A member server is a computer in a domain which can perform the functions of a file, application, web, and print server. The DC, on the other hand, is responsible for authentication and authorization.
Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
