Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2008 R2, Windows Server 2012
The topics in this section can help you bring Active Directory Certificate Services (AD CS) into compliance with configuration best practices. Content in this section is most valuable to administrators who have completed a Best Practices Analyzer scan of AD CS and who want information about how to interpret and resolve scan results that identify areas of AD CS that are noncompliant with configuration best practices.
Best Practices Analyzer and configuration rules
The Best Practices Analyzer applies configuration rules to identify settings that might require modification for AD DS to perform optimally. Configuration rules can help prevent setting conflicts that can result in error messages or prevent AD DS from carrying out its prescribed duties in an enterprise.
For more information about Best Practices Analyzer and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).
Topics in this section
Authority information access locations should be included in the extensions of issued certificates
Authority information access locations should include the certificate name suffix
CA database and log files should not be stored on the system drive
Computer autoenrollment should be enabled when an enterprise CA is installed
CRL distribution point locations should be included in the extensions of issued certificates
CRL distribution point locations should include the CRL name suffix
The CRL publication interval for a stand-alone root CA should be at least 30 days
User autoenrollment should be enabled when an enterprise CA is installed
Web server should allow URI containing the "+" character to enable publishing of delta CRLs