Active Directory setup

Active Directory provides the directory services required for integrating Microsoft Certificate Authority (CA) and Network Device Enrollment Service (NDES). The following steps ensure that the Active Directory environment is properly prepared before configuring the certificate enrollment infrastructure.

Note: It is recommended to perform the setup using an account with Domain Admin privileges to avoid permission-related issues during installation and configuration.

1. Verify Active Directory Domain Availability

  1. Log in to a server that is joined to the domain
  2. Open Command Prompt.
  3. Verify domain connectivity by running:
    echo %USERDOMAIN%
  4. Verify connectivity to a domain controller:
    nltest /dsgetdc:<your-domain-name>
  5. Ensure the command returns a valid domain controller.

2. Join Infrastructure Servers to the Domain

The following infrastructure components must be joined to the Active Directory domain, as they integrate directly with Microsoft Certificate Services and Active Directory.

  • Certificate Authority (CA) server
  • NDES server (if deployed on a separate machine)
These servers must be domain-joined in order to support Enterprise Certificate Authority integration and certificate template publishing through Active Directory.
Note: The following components are typically deployed outside the Active Directory domain and should not be domain joined:
  • NDES Proxy server
  • LDAP Proxy server

These proxy components act as intermediaries between BigFix MCM Server and the internal certificate infrastructure and are usually placed in a restricted network for security.

Steps to Join a Server to the Domain:

  1. Open Server Manager.
  2. Select Local Server.
  3. Click Workgroup next to the computer name.
  4. Select Change.
  5. Choose Domain and enter the domain name.
  6. Provide domain administrator credentials when prompted.
  7. Restart the server after joining the domain.

3. Create Service Account for NDES

NDES requires a domain service account.

  1. Open Active Directory Users and Computers.
  2. Navigate to an appropriate Organizational Unit (OU).
  3. Right-click → NewUser.
  4. Enter details such as:
    User name: svc_ndes
  5. Set a strong password.
  6. Click Finish.
Note:
  • The created service account
    • Should be a member of local IIS_IUSRS group
    • Should have request permissions on the configured CA
    • Should have read and enroll permissions on the NDES certificate template.
  • This account will be used during NDES role installation.

4. Verify DNS Resolution

DNS resolution must be available for components that interact directly with Active Directory services.

The following systems must be able to resolve Active Directory domain names and domain controllers:

  • Certificate Authority (CA) server
  • NDES server
  • LDAP Proxy server
  • NDES Proxy server
Run the following commands from the CA and NDES servers:
nslookup <domain-name>
nslookup <domain-controller-hostname>

Both commands should resolve successfully.

5. Verify Connectivity to Domain Controllers

After joining the servers to the Active Directory domain, verify that the CA and NDES servers can communicate with the domain controllers.Run the following command from the CA server and the NDES server from Command Prompt with administrative privileges.
nltest /sc_verify:<domain-name>
Expected result:
Trusted DC Connection Status Status = 0 0x0 NERR_Success

6. Verify Permissions for Certificate Enrollment

Ensure that the following accounts will later have access to certificate enrollment:

  • NDES service account

  • Administrators managing certificate templates

Permissions will be configured later during Certificate Authority and certificate template configuration.