Home » IT - Microsoft » Enabling site awareness on a CA

Enabling site awareness on a CA

Escribe tu dirección de correo electrónico para suscribirte a este blog, y recibir notificaciones de nuevos mensajes por correo.

Join 5 other followers

February 2016
« Nov   Mar »



All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights. The content of this site are personal opinions and might not represent the Microsoft Corporation view. Regarding any sample code that we provide: This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. Secondly, I use my blog as a notebook. There's so much to learn and remember in our jobs that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. Anything you do to your IT infrastructure, applications, services, computer or anything else is 100% down to your own responsibility and liability. Mcselles bears no responsibility or liability for anything you do. Please independently confirm anything you read on this blog before doing whatever you decide to do.

To enable certificate services site awareness, the msPKI-Site-Name attribute must be populated for the certification authority (CA) object in the Enrollment Services container of Active Directory Domain Services (AD DS). TheEnrollment Services container is in the Configuration container of AD DS under CN=Public Key Services, CN=Services,CN=Configuration,DC=<domainDistinguishedNamingContext>. For example, the following figure shows a CA named CPANDL-ECA1 has an msPKI-Site-Name attribute value of Main.

To set the msPKI-Site-Name attribute value on a CA, you can run the following command:

certutil -f -setcasites set

You can see the results of this command in the following figure when run on the CPANDL AD DS domain with two Enterprise certification authorities.

The command enumerates all CAs in the enterprise using directory services APIs. The CA site memberships are checked for their current site membership. Then, the CA objects in AD DS are configured for the site name that is appropriate for their network configuration.

To set the the msPKI-Site-Name attribute on a single CA object in AD DS to a specific name, you can run the following command:

certutil -setcasites -f -config "<CAConfigName>" <SiteName>

You can see the configuration of a CA by running the following command: 

certutil | findstr "Config"

The following figure illustrates the configuration of CPANDL-CA1.cpandl.com\CPANDL-ECA1 with the site nameBranch, even though the detected name is Main.

Running the certutil -setcasites command displays and also corrects the name conflict, as shown in the following figure.

return to top 

Client selection of a CA

When enrolling for a template-based certificate, the client queries AD DS for the template and the CA objects. The client then uses a DsGetSiteName  function call to get its own site name. For CAs with the msPKI-Site-Name attribute already set, the certificate services client determine the AD DS site link cost from the client site to each target CA site. ADsQuerySitesByCost  function call is used to make this determination. The certificate services client uses the returned site costs to prioritize the CAs that allow the client the Enroll permission and support the relevant certificate template. The higher cost CAs are tried to be contacted last (only if former CAs are unavailable).

Note: A CA may return no site cost if the msPKI-Site-Name attribute is not set on the CA. If no site cost is available for an individual CA, then the highest possible cost is assigned to that CA.

The following statements apply to the way that a certificate services client contacts the appropriate CA:

  • Each set of CAs that have identical costs will be ordered randomly within that set, to evenly distribute the load.
  • Enrollment is attempted through the lowest cost CAs (smallest numeric site cost value).
  • If contacting that CA fails, the next the higher cost CAs are tried.
  • If none of the CAs (that allow Enroll permission and publish the relevant template) are accessible or responding, the enrollment request fails.


  • Since all Enterprise CAs expect DCOM calls and utilize Kerberos credentials, the type of credentials required by the CA do not affect the CA ordering.
  • None of the client site cost processing and CA ordering operations results in contacting any of the CAs; only AD DS queries and an AD DS site cost query calls are made.
  • If site cost collection is not enabled on the client, the CAs will be ordered randomly.

When the clients and certification authorities are both configured for AD DS site awareness, you can use the certutil -ping command to verify the site costs. For example, the certutil command shown in the following figure is: certutil -ping "CPANDL-CA1.cpandl.com,CPANDL-CA2.cpandl.com"

Source: http://social.technet.microsoft.com/wiki/contents/articles/14106.ad-ds-site-awareness-for-ad-cs-and-pki-clients.aspx


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Microsoft on the Issues

News and perspectives on legal, public policy and citizenship topics

Mike Crowley's Whiteboard

“There are no limits to what you can accomplish when you are supposed to be doing something else."


There Be Dragons

Ken Cenerelli

My life in software development

VMware, Windows, Virtualization (Servers & Desktops)

VMware, Windows, Virtualization (Servers & Desktops)

Just a random "Microsoft Server / Client Tech" info..

"Feeding Your Training and Technology Obsessions"


WordPress.com is the best place for your personal blog or business site.


Documentación técnica, notas y apuntes sobre Administración de Sistemas, Servidores, Redes y más

Microsoft Taste

Mary's Blog

%d bloggers like this: