While I now have a better idea on MS Certificates, I remember I had no idea of what it was really and the necessity behind it with English being my third language. I am hereby suggesting that the basic who, what, when, how, and why questions are answered in each IT training video to amplify easy comprehension of the subject matter. Often times a lot can be said in the presentation, and yet the viewer is still left confused as to what is the real function and why this topic is needed in the first place. I know this is simply the result of cultural or linguistic assumptions, but an awareness of this will make these magnific video presentations even more useful and to more people....
Hi Raymond, thanks very much and congrats on your language accomplishments. I really do appreciate your feedback and I’m delighted that you found my videos useful in the future. I believe that Google are using AI to re-dub videos in my natural language. This will be a very exciting development. It’s currently in beta I believe, anyway keep watching and thanks again for your support. All the best, Andy
Great video, although I'd install the root CA as a standalone server, issue the certificate, export it to a pfx file, turn off the root CA server, disconnect the server physically from any network, power outlet, and turn it on only whe it is time to renew the certificate. I would then manually import the root certificate into the issuing CA, which can be on an AD environment.
Once you have a setup complete and working is there any maintenance involved? How do you handle / correct failed request or issued certs that have expired? Thanks
i have enterprise root ca in my lab environment, and i wonder do i need to enable the AD DS role in this very same server in order to propagate the certificate to all domain member pc...
I’m sorry but configuration manager is not one of my products. I will take a look at docs.microsoft.com, this is the definitive source of documentation from Microsoft. Thanks again
Hello, I am looking for a solution to extract "Issued Certificates" folder metadata(all available columns) via linux ldapsearch command, maybe you can help me please to identify parameters?
Typically the public cert you purchased is from a public provider. They are the certificate authority here. If you create your own cert authority, in Azure you would need to copy the cert to every users device in the company. So no these are separate.
Andy: I wrongly named my certificate authority with a different name (office-one) instead of the computer name (pdc.onsite) --- can I rename it? it seems the certificates won't work
Thanks for this Andy, very helpful. I have an expired certificate on a radius server which needs renewing. Its issued by another internal server on the LAN. When i try to right click renew it i get an error basically saying that it cant be renewed as its expired!
Thank you!! Just a general question- what happens if you don't install or issue certificates, how would that limit or interfere with the organization? Are they a must? Can you explain please?
@@AndyMaloneMVP @guy3008 . Have been facing an issue with windows hello for Business. I believe this will resolve that issue as WHFB was unable to authenticate. Thank you for this video !!
Excellent video. Thanks. I installed an Enterprise CA but using an account with Domain Admin rights only and after initial configuration I got some uncommon warnings. I did not go further. How do I uninstall this CA? Thanks
I’m glad you’re enjoying the videos. Put all documentation relating to this please visit Microsoft Learning are use the following link.learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects
Friend, in advance, magnificent work! I have a difficulty. I configured the certificate in AD CS and would like to apply it for S/MIME in Outlook. I have already installed the certificate in AD and exported it in .pfx, I installed it on my machine but when I configure it in Outlook, it does not work. Any tips?
Andy if you are reading it , i would love to say that you look like a lot from the lord of the rings character , which makes it even more interested for audience like me to see your technical videos
How did you create certificate? you selected .....later and then in configuring the second role you showed that it is already created and you selected it. your speech does not match what is being done in the video
thank you for the video, I was watching specifically to see the setup of the service account (being good practice to do so... lol) it is the one thing you didn't show in this demo, however, so I am still at a loss.
Hello. I am writing from Azerbaijan :) I am grateful for such a nice explanation and your slow and calm expression helped me to understand more. But I have a question, is making an internal certificate server in windows active directory the same as you describe? I have been given a task as I mentioned above by the company where I am doing my internship and I am trying to do this task. Thanks in advance!
Greetings from Scotland. Absolutely you can create a standalone or enterprise certificate server that you can use with active directory. The best place to learn this is by going to learn.microsoft.com. This is the definitive source of documentation and learning. I wish you all the very best and welcome to my channel. 👍
Hi Andy, Watching your videos on TH-cam and wanna say big thanks to you for job you're doing here, I really appreciate this. I'm just wondering if you're planning create video regarding Microsoft EFS in a Microsoft domain environment? I'm starting to implement EFS in a domain due to some restricted files where even domain administrator shouldn't have access, and for Recovery agent should be chosen regular user let's say Security supervisor. I think this topic could be interesting not only for my organization.
Thanks for the suggestion. I’ll be honest with you my main focus is now on the cloud. I will try and do as much server based content as I can., However you must appreciate this is no longer my main focus.
Although basics, template duplication, customising and issuing certificate from a member server should have ideally been covered. Export import of certificate I feel deviated topic to securing web urls over IIS where maybe focus could have rather been on certificate templates and issuance
@6:46 - It's a ROOT Certificate, so you do want it to last a very long time, normally 10-years. use templates to issue short live Certificates. @13:12 - that's the RootCA certificate, it's already installed, so no need to install it again, but you need to install in on all the domain pc via GP or manually.
@@AndyMaloneMVP Yes. 100%. You are right. However - given the lack of coverage - I'll moot that perhaps it could be part of a series. CA, installation, updating, retiring - or something like that. Please don't take what I said the wrong way - the tutorial is AAAAA+ :)
@@AdmV0rl0n I’d love too, but as you can see this topic is not as popular as cloud topics. Which is the primary focus of this channel. That said of course I’ll do my best to cover important topics like this from time to time. Thanks for your valuable input though, it’s great to have you on board 👍😊
I really liked every videos on Windows server AD management so far, but this one threw me off a bit. I keep hearing the word 'certificate' but I don't get about who or what purposes they address in all of those steps. It would have been nice to have a small recap on how certificates and certificates CA work, I think ! Good work nonetheless !
While I now have a better idea on MS Certificates, I remember I had no idea of what it was really and the necessity behind it with English being my third language. I am hereby suggesting that the basic who, what, when, how, and why questions are answered in each IT training video to amplify easy comprehension of the subject matter. Often times a lot can be said in the presentation, and yet the viewer is still left confused as to what is the real function and why this topic is needed in the first place. I know this is simply the result of cultural or linguistic assumptions, but an awareness of this will make these magnific video presentations even more useful and to more people....
Hi Raymond, thanks very much and congrats on your language accomplishments. I really do appreciate your feedback and I’m delighted that you found my videos useful in the future. I believe that Google are using AI to re-dub videos in my natural language. This will be a very exciting development. It’s currently in beta I believe, anyway keep watching and thanks again for your support. All the best, Andy
Your way of teaching is outstanding. Complete thorough understanding.
I am addicted of your videos SIR
Aw thanks so much I very much appreciate that 👍😊
Great video, although I'd install the root CA as a standalone server, issue the certificate, export it to a pfx file, turn off the root CA server, disconnect the server physically from any network, power outlet, and turn it on only whe it is time to renew the certificate. I would then manually import the root certificate into the issuing CA, which can be on an AD environment.
Interesting suggestion thanks for the input
Excellent. There are very few videos that cover this topic in a straight forward uncomplicated way. Well done sir. Liked and Subscribed.
Thanks so much I appreciate that😊
this basically saved my life today - thank you for the amazing info!
You’re welcome
@5:11 - you would configure the first 3 option, then and only then can you configure the other 3.
Wow, learned a lot about Installing, Importing and Exporting Certificates, really useful info and an excellent Video, thanks Andy.
You’re very welcome, and thank you 👍
@5:17 - the one that gave you an error, you did install it, you just can't configure it without first configuring the main feature, ADCA.
I know 🙂
I love this video, Andy. Cheers.
Once you have a setup complete and working is there any maintenance involved? How do you handle / correct failed request or issued certs that have expired? Thanks
You can manually or auto enrol users or devices. You can also renew and revoke certs if user leaves.
Is possible use this certificate authority to create one certificate to use on VPN P2S on Azure ?
Hey teacher cloud you please show how do you create one certificate child from one self signed ?
i have enterprise root ca in my lab environment, and i wonder do i need to enable the AD DS role in this very same server in order to propagate the certificate to all domain member pc...
Yes. Or you can use a stand alone server but its a bit more work.
How does this co relates with config manager certificate registration point?
I’m sorry but configuration manager is not one of my products. I will take a look at docs.microsoft.com, this is the definitive source of documentation from Microsoft. Thanks again
Appreciate your efforts where the certificates are using purpose and how to monitor those certificate expire
Active directory certificate Portal
Hello, I am looking for a solution to extract "Issued Certificates" folder metadata(all available columns) via linux ldapsearch command, maybe you can help me please to identify parameters?
No idea sorry. I will check out Microsoft documentation at learn.microsoft.com or visit the Microsoft tech community.
Didn't see this one! Needed some more information about a case by one of my customers. Thanks!
Thanks for explanation. I would like to find out how a third party vendor certificate can be deployed to windows 10 client workstation from CA server.
Great idea for a session👍
Quick question, I purchased a wildcard certificate for my exchange server, can I integrate that here during this setup? Thanks
Typically the public cert you purchased is from a public provider. They are the certificate authority here. If you create your own cert authority, in Azure you would need to copy the cert to every users device in the company. So no these are separate.
Can you make a video how to set up a pki/smartcard authentication infrastructure
Andy: I wrongly named my certificate authority with a different name (office-one) instead of the computer name (pdc.onsite) --- can I rename it? it seems the certificates won't work
Unfortunately not. Uninstall and then reinstall the service
Thanks for this Andy, very helpful. I have an expired certificate on a radius server which needs renewing. Its issued by another internal server on the LAN. When i try to right click renew it i get an error basically saying that it cant be renewed as its expired!
check support docs on learn. Certs are a nightmare if you let them expire
@@AndyMaloneMVP i just walked into this environment which has been neglected 😢
Will the export work for a windows server hosting a web portal that is not able to create a csr?
Honestly I don' know sorry.
Do you need data center for the root or ca's or if you use ndes?
CA or a hosted solution
Thank you!! Just a general question- what happens if you don't install or issue certificates, how would that limit or interfere with the organization? Are they a must? Can you explain please?
Certificates are used for authentication, either for a user or device. Think of a passport. Woithout it you could not travel.
@@AndyMaloneMVP OK thanks so why don't I need to install these on my home pc but I can still surf the internet?
@@AndyMaloneMVP @guy3008 . Have been facing an issue with windows hello for Business. I believe this will resolve that issue as WHFB was unable to authenticate.
Thank you for this video !!
@@mirabdurrehman2615 you’re very welcome and thanks for watching 👍
Thank you for the great job you do to help folks like me learn. Is there any reason the AD CS role would not be installed in a domain?
Thanks John. Yes the sever is a member server and does not have the active directory domain controller, role installed.
Excellent video. Thanks. I installed an Enterprise CA but using an account with Domain Admin rights only and after initial configuration I got some uncommon warnings. I did not go further. How do I uninstall this CA? Thanks
I’m glad you’re enjoying the videos. Put all documentation relating to this please visit Microsoft Learning are use the following link.learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects
Friend, in advance, magnificent work!
I have a difficulty. I configured the certificate in AD CS and would like to apply it for S/MIME in Outlook. I have already installed the certificate in AD and exported it in .pfx, I installed it on my machine but when I configure it in Outlook, it does not work.
Any tips?
Have you followed the steps in learn.microsoft.com all docs are here. Also check out the Microsoft Tech Community
Useful video. Can you install AD CS within the same server where the DC is installed?
Absolutely
Andy if you are reading it , i would love to say that you look like a lot from the lord of the rings character , which makes it even more interested for audience like me to see your technical videos
hehe thats a new one 😃 I'm almost afraid to ask which one?
How did you create certificate? you selected .....later and then in configuring the second role you showed that it is already created and you selected it. your speech does not match what is being done in the video
thank you for the video, I was watching specifically to see the setup of the service account (being good practice to do so... lol) it is the one thing you didn't show in this demo, however, so I am still at a loss.
Ah sorry, I'll include it next time :-)
Perfect! Thank you very much!!
You're welcome!
Had to subscribe. Wish I found your videos sooner!!
Aw thank you most kindly
On 7:36 you skipped a part of the video
You amazing dude! thx for the tutorial
can you do an azure/active directory troubleshooting series please
You mean like this th-cam.com/video/3hfrbJ4vY4k/w-d-xo.html 👍😊
Hello. I am writing from Azerbaijan :) I am grateful for such a nice explanation and your slow and calm expression helped me to understand more. But I have a question, is making an internal certificate server in windows active directory the same as you describe? I have been given a task as I mentioned above by the company where I am doing my internship and I am trying to do this task. Thanks in advance!
Greetings from Scotland. Absolutely you can create a standalone or enterprise certificate server that you can use with active directory. The best place to learn this is by going to learn.microsoft.com. This is the definitive source of documentation and learning. I wish you all the very best and welcome to my channel. 👍
Hello Andy,
Can you please make one video for phishing training in Microsoft 365 without doing phishing campaign?
Thanks in advance.
I actually made one already. Have you seen this th-cam.com/video/KxzpsVO4OEg/w-d-xo.html
Following along on 2025 Insider Preview.
Hi Andy,
Watching your videos on TH-cam and wanna say big thanks to you for job you're doing here, I really appreciate this.
I'm just wondering if you're planning create video regarding Microsoft EFS in a Microsoft domain environment?
I'm starting to implement EFS in a domain due to some restricted files where even domain administrator shouldn't have access, and for Recovery agent should be chosen regular user let's say Security supervisor.
I think this topic could be interesting not only for my organization.
Thanks for the suggestion. I’ll be honest with you my main focus is now on the cloud. I will try and do as much server based content as I can., However you must appreciate this is no longer my main focus.
Thank you so much for your help
Although basics, template duplication, customising and issuing certificate from a member server should have ideally been covered. Export import of certificate I feel deviated topic to securing web urls over IIS where maybe focus could have rather been on certificate templates and issuance
Sure come back on my training and we will cover all of these things. 👍 for a fee of course 🤪
superb!🤩😇
@6:46 - It's a ROOT Certificate, so you do want it to last a very long time, normally 10-years.
use templates to issue short live Certificates.
@13:12 - that's the RootCA certificate, it's already installed, so no need to install it again, but you need to install in on all the domain pc via GP or manually.
Oh my gosh so many comments thank you I appreciate your effort. This was of course just a lab environment to demonstrate it but I thank you anyway
One of the more tricky things that people don't cover is at upgrade AD time, how to migrate your CA services from older servers to new.
That’s a very good point. When this happens some definite preparation needs to be done. Thanks for the comment.
@@AndyMaloneMVP Very few people cover that - its a very 3rd line thing!
@@AdmV0rl0n agreed, however it was beyond the scope of this tutorial, I’m sure you’ll agree 😊
@@AndyMaloneMVP Yes. 100%. You are right. However - given the lack of coverage - I'll moot that perhaps it could be part of a series. CA, installation, updating, retiring - or something like that. Please don't take what I said the wrong way - the tutorial is AAAAA+ :)
@@AdmV0rl0n I’d love too, but as you can see this topic is not as popular as cloud topics. Which is the primary focus of this channel. That said of course I’ll do my best to cover important topics like this from time to time. Thanks for your valuable input though, it’s great to have you on board 👍😊
Thanks very much
You are welcome
I really liked every videos on Windows server AD management so far, but this one threw me off a bit. I keep hearing the word 'certificate' but I don't get about who or what purposes they address in all of those steps. It would have been nice to have a small recap on how certificates and certificates CA work, I think ! Good work nonetheless !
Thanks, I appreciate that and I may get around to recording the sequel soon 😊
happy to be the 250th liker
Yay thanks :-)
That's Good