need to setup ldaps....

[johng75]

quick background, we have a win 2003 server running exchange 2003, DC, DNS, and our DHCP is on a sonicwall..


i have a new win 2008 R2 standard machine currently running DC and DNS... in the future it will also have the DHCP.

our win 2003 server is getting replaced by 2 servers, this one (win2008) will run the DC, DNS, and DHCP, and another that will have exchange 2010...

configuration for the exch2010 machine has not begun yet...


i have my win2008 running the DC, and ive started pointing everything at it for DNS w/o any issues, and users are authenticating fine... i was in the process of setting up our barracuda proxy server to use this new DC as well, but LDAP will not authenticate? i called barracuda and after about 2hrs, informed me that i had to get an SSL certificate to run LDAPS, then barracuda would be able to use this new DC???

i currently do not have a AD-CS set up on any servers. through various searches i found a site that seems to be the easiest to follow

http://www.richardhyland.com/diary/...-a-ssl-certificate-on-your-domain-controller/

ive read about self signed certificates, but very uneasy about the whole process, the more i read the more confused im getting. does anyone know of a certificate creation for dummies?

if LDAPS gets enabled, the only machines that would be connecting are going to be local

please guide me oh masters of the un-known

since im as close to a 'blank slate' as i can get, i dont want to start down one path and find out i need to back up...

 

[johng75]

also, not sure, but since i dont have a CA, woulnt it be benificial for me to configure this DC to also have AD-CS along with the DC,DNS,DHCP already planned to be on this machine?

 

[johng75]

based upon my reading, ive come to the conclusion it isnt going to be a good thing for me to put CA on my DC, but maybe on my member windows 2008 STD server, that is being used as a file server...

i read one post where it said the CA should be put on a server not on the domain though? but no real reason why?




Life is not a journey to the grave with the intention
of arriving safely in a pretty and well preserved body,
but rather to skid in broadside, thoroughly used up,
totally worn out, and loudly proclaiming

--"WOW-- What a Ride!"

 

[bobsa32]

Would it not be worthwhile spending the money on a Cert, this would cost you about £70.

Bobby

 

[kmcferrin]

You need to read up on certificate authorities and Public Key Infrastructures before you make decisions about CA design.

Typically you would have a standalone root CA for your environment that is not a domain member and is offline most of the time. You would then use that CA to sign a subordinate CA certificate for your domain CAs. That way if any of your domain CAs become compromised you can simply revoke their certificate and create a new CA. But if you only have a single CA and it becomes compromised, all of your certificates are worthless at that point and you have to build a new PKI from scratch. By having a separate root CA and using subordinate CAs you have more granular controls over your PKI.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
Certified Quest vWorkspace Administrator