Breadcrumbs

Installing AD CS Server role on second cluster node

To install the CA on the second node, complete the following tasks

  1. Log in as a user with Administrative privileges

  2. Select Start then select Server Manager to open Server Manager

  3. Select the File and Storage Services. Click Disks

image-20251110-104518.png

Figure 96: Server Manager window

  1. Bring that the shared disk online on second cluster node

  2. Copy the exported CA certificate on second cluster node

  3. Import the CA certificate that was previously created on the first cluster node

›_ PowerShell

 
PS> certutil -addstore -f "My" "<CaName>.cer"

Signature matches Public Key

Certificate "DemoRootCa" added to store.

CertUtil: -addstore command completed successfully.

If you are using Smartcard Authentication, the prompt will go on the PIN Pad device to insert Smartcard and enter the pin. Then press OK button on the PIN Pad.

  1. To create a link between the certificate and the private key, first find the certificate serial number

›_ PowerShell

 
PS> certutil "<CaName>.cer" | findstr Serial
Serial Number: 3a9f8a8c61129593400f6738896afcc0

  1. And use the certutil command to repair the link

›_ PowerShell

 
PS> certutil –f –repairstore –csp "Utimaco CryptoServer Key Storage
Provider" my <serial>
CertUtil: -repairstore command completed successfully

If you are using Smartcard Authentication, the prompt will go on the PIN Pad device to insert Smartcard and enter the pin. Then press OK button on the PIN Pad.

  1. Open Server Manager under Configure this Local Sever and click Add Roles and Features

  2. The Add Roles and Features Wizard displays

  3. Click Next. Select radio for the Role-based or feature-based installation and click Next

  4. Select radio button for a server from the server pool and select the second cluster node from the server pool and click Next

  5. Select the Active Directory Certificate Services check box from the Server Roles

  6. Add features that are required for Active Directory Certificate Services? window displays. To add a feature, click the Add Features button

  7. Click Next

  8. Click Next

  9. Select the check box for Certification Authority from the Role services list and click Next

  10. Click Install

  11. Once installation is complete, select the link Configure Active Directory Certificate Services on the destination server the AD CS Configuration wizard displays

  12. In the Credentials page of the AD CS Configuration wizard click Next

  13. Select the check box for Certification Authority and click Next

  14. Select Enterprise CA as Setup Type and click Next

  15. Select Root CA as type of CA and click Next

  16. Select the radio button for Use existing private key and choose the option Select a certificate and use its associated private key and click Next

  17. Select the CA certificate that was generated on the first cluster node and click Next

  18. Change the default paths for the database and log location to the share disk and Click Next

  19. A dialog box displays stating that an existing database was found displays, click Yes to overwrite

  20. In the Confirmation page click Configure

  21. Verify that the CA service has successfully started by running the command

›_ PowerShell

 
>sc query certsvc