ADCS has become site-aware in Windows Server 2012


One of the largely unheralded big new features of Active Directory Certificate Services is that it can now be configured to be site-aware!

This is accomplished by following the detailed steps that are described on the ADCS Wiki link below.

The short version is however as follows:

  1. set the CA to detect which AD site it is in by running the following on the W2k12 CA server:
    certutil -f -setcasites set
  2. set the Windows 8 client to query AD site information about which CA it should enroll for by running the following on the client side:
    certutil -setreg EnrollEnrollFlags 2

…then add some suger and bake for 30 minutes in the oven, that’s it! 🙂

 

AD DS Site Awareness for AD CS and PKI Clients
http://social.technet.microsoft.com/wiki/contents/articles/14106.ad-ds-site-awareness-for-ad-cs-and-pki-clients.aspx

What’s New in AD CS [in Windows Server 2012]?
http://technet.microsoft.com/en-us/library/hh831373.aspx

 

Comments (1)

  1. Anonymous says:

    Hi Ingolfur,

    FYI the registry change is *not* required on Windows 8 as the functionality is included by default. The wiki entry here: social.technet.microsoft.com/…/14106.ad-ds-site-awareness-for-ad-cs-and-pki-clients.aspx has recently been updated to reflect this.

    Cheers

    JJ