Hi all,

I have a small Active Directory domain with a single Domain Controller running Server 2003 Standard. It does not host any websites on the internet through IIS, does not host email (by Exchange or anything else), and our VPN is setup through our router. I did not install this domain but I am the administrator now.

There is currently no Enterprise Certificate Authority in this domain, so for some time now the DC has been logging event 36872 ("No suitable default server credential exists on this system"). This event is not my issue - Microsoft says the message can be ignored if no enterprise CA exists (http://support.microsoft.com/kb/261196). But I am wondering if this event is presenting an opportunity.

My question is: Should I install Certificate Services and make the DC an Enterprise Certificate Authority? Are there any benefits to doing so?

I understand from the MS article at http://technet.microsoft.com/en-us/library/cc875810.aspx that a certificate appears to be useful for doing SSL/IPSec, providing wireless authentication, and for securing VPN use, among other things. I am all for security, but my current opinion is that we don't have an extreme need to lock everything down since our domain supports a small group of users who share information very openly, and operates only over a local area network that exists inside the building. So I would like a secure not but over-secure policy appropriate to our needs, and I don't want to burden the DC's resources with unnecessary network services. If I have a certificate for SSL/IPsec, does this mean all network activity to the server i.e LDAP requests would be encrypted? Wireless authentication would be cool, but the wireless router does MAC filtering, so it would not be for gaining access. Does wireless authentication secure packets in the air, even ones that do not access the server i.e. a packet direct from a client computer to the internet? As for VPN, our router handles that, so would adding security on the Windows side/layer of things be redundant?

Thanks for reading, and I welcome all input to my situation :)

Regards,
Neptune Systems

No (short answer) :)

Certificate Services allows you to create and manage "self signed" certificates. Yes, this will allow all kinds of cool security enhancements, but only to the point that any security service based on SSL certificates will be installed, configured, and enabled. Instead of purchasing a commercial SSL certificate, you can create your own, and be your own Certificate Authority. That's the gist of CS - it becomes your private CA for SSL certificates that you publish from your CS. You still need to configure all those other things individually to use the certificates. It's not like some magic service that provides all of this security automatically. ;)

I'm guessing that somewhere in your network, you have RRAS or a MS VPN component defined with SSL but no certificate. I'd locate that service and turn the SSL component off and see if your event log messages go away.

Glenn

Hi all,

I have a small Active Directory domain with a single Domain Controller running Server 2003 Standard. It does not host any websites on the internet through IIS, does not host email (by Exchange or anything else), and our VPN is setup through our router. I did not install this domain but I am the administrator now.

There is currently no Enterprise Certificate Authority in this domain, so for some time now the DC has been logging event 36872 ("No suitable default server credential exists on this system"). This event is not my issue - Microsoft says the message can be ignored if no enterprise CA exists (http://support.microsoft.com/kb/261196). But I am wondering if this event is presenting an opportunity.

My question is: Should I install Certificate Services and make the DC an Enterprise Certificate Authority? Are there any benefits to doing so?

I understand from the MS article at http://technet.microsoft.com/en-us/library/cc875810.aspx that a certificate appears to be useful for doing SSL/IPSec, providing wireless authentication, and for securing VPN use, among other things. I am all for security, but my current opinion is that we don't have an extreme need to lock everything down since our domain supports a small group of users who share information very openly, and operates only over a local area network that exists inside the building. So I would like a secure not but over-secure policy appropriate to our needs, and I don't want to burden the DC's resources with unnecessary network services. If I have a certificate for SSL/IPsec, does this mean all network activity to the server i.e LDAP requests would be encrypted? Wireless authentication would be cool, but the wireless router does MAC filtering, so it would not be for gaining access. Does wireless authentication secure packets in the air, even ones that do not access the server i.e. a packet direct from a client computer to the internet? As for VPN, our router handles that, so would adding security on the Windows side/layer of things be redundant?

Thanks for reading, and I welcome all input to my situation :)

Regards,
Neptune Systems

Excellent - thanks Glenn :)

Regards,
Neptune Systems

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.