Configuring Security

Install KMS

Before you can install KMS on an Exchange 2000 server, you must install Windows 2000 Server in your Exchange organization. Certificate Services becomes your organization's certification authority (CA), issuing X.509v3 certificates to your enrolled Advanced Security users.

Important   When installing Certificate Services to use with KMS, Microsoft recommends changing the Valid for field in the CA Identifying Information screen to five years. This is the amount of time before your CA certificate expires. Your CA cannot issue certificates that are valid beyond the period of its own certificate expiration. For administrative purposes, it is better to have a CA certificate that is valid for at least five years.

Certificate Services will also track and maintain Certificate Trust Lists (CTLs) and certificate revocation lists (CRLs) for your organization. Be sure to install the Enterprise version of Certificate Services. For information on Certificate Services, see the Windows 2000 documentation.

This section provides information on installing KMS, as well as related procedures you must perform before, during, and after installation.

Note   Exchange 2000 Key Management servers are compatible with Key Management servers running Exchange 5.5 SP1. To upgrade an Exchange 5.5 Key Management server to Exchange 2000, follow the same procedure you would for any non-KMS Exchange server. For more information, see Upgrading Exchange 4.0 and 5.x to Exchange 2000 Server.

The installation procedure below is just one necessary step you must take to deploy KMS in your organization. The following table illustrates additional procedures that must be performed at different points during the KMS installation:

Procedure When to Perform It
Install Exchange Certificate Templates After installing Certificate Services, and before installing KMS.
Select the Startup Password Location During Exchange/KMS installation.
Grant Manage Rights to the Key Management Server After KMS is installed, before requesting certificates from Certificate Services.

To install KMS:

  1. Start Microsoft Exchange 2000 Installation Wizard.
  2. In the Component Selection screen, change the install Action next to Microsoft Exchange 2000 (the first selection) to Custom. The default is Typical.

    Important   Make sure you also select Install next to Microsoft Exchange System Management Tools. by default, this is installed with a Typical installation, but not with a Custom installation.

  3. Select Install next to Microsoft Exchange Key Management Service. Perform this step for any other Exchange components you need, and then proceed with the Exchange installation.

Note   If you want to install KMS on a computer currently running Exchange 2000, insert the Exchange CD and start the Microsoft Exchange 2000 Installation Wizard again. In the Component Selection window, select Change next to Microsoft Exchange 2000. Select Install next to Microsoft Exchange Key Management Service, and then click Next.

Related Topics