Re: Enterprise CA options greyed out.

Brian,

Looks like i answered my own question. I created a user, added it to Domain
Admins, took Domain Admins out of the Administrators group. Logged onto the
server to install Cert services but still got Enterprise and Standalone. I
cannot see how or where im getting the Enterprise Admin access you say i am
getting. Im happy to accept thats what happening but I have to see how\where
im getting this Enterprise rights.

"Brian Komar (MVP)" wrote:

Sigh...
The account you used was in the Enterprise Admins group. End of story.
How many domains in your forest? My guess is one.
Brian

"Gunna" <Gunna@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4FC918AB-8D77-4AB7-B879-301CCC6355B7@xxxxxxxxxxxxxxxx
Brian,

Found some conflicting things. Firstly as you have already said you need
to
be an Enterprise admin to install an Enterprise Root CA and if you refer
to
this article http://technet.microsoft.com/en-us/library/cc776709.aspx is
says
the same.

However,

I just built a new environment. Standard Server 2003 SP2 domain
controller
and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd
machine
as a user with local admin to the second server only (only domain
membership
was Domain Users) and tried to install PKI and sure enough I only got the
Standalone options. I stopped the install and then logged on using an
account i created and placed only in the Domain Users and Domain Admins
groups. Then started to install Certificate services and I got both the
Enterprise and Standalone options. I then installed it completely as
Enterprise Root CA as a Domain Admin only with no visible errors or
issues.
So what is the Enterprise Admin requriment for?

"Brian Komar (MVP)" wrote:

Gunna,
In your test environment, the account is a member of the Enterprise
Admins
group (either directly or through a group nesting).
- You can run an enterprise CA on the Standard, Enteprise, or Data Center
edition SKUs
- To get full functionality, you need to run on Enterprise or Data Center
SKUs
Full Functionality includes: issue certs on V2 cert templates, Key
archival,
Brian

"Gunna" <Gunna@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6F2DAA82-E6F9-41E6-B38B-0F5660C14C94@xxxxxxxxxxxxxxxx
Thanks Paul but im afraid i am just more confused. Can you answer a
question
for me becuase I read conflicting things. You can or cannot run
Enterprise
CA or Enterprise Sub on Standard edition? What the differnece between
running Enterprise on a standard servers versus Enteprise edition
server?


And further to my original post. I am logged onto the member server as
a
member of the Domain Admin group only but I can see the option to
select
Enterprise Root or Enterprise Sub. Could I be seeing it becuase the
Domain
Admins group is a member of the Administrators group in Active
Directory?


"Paul Adare - MVP" wrote:

On Mon, 1 Sep 2008 20:01:01 -0700, Gunna wrote:

I have an issue in Production im trying to solve so I decided to
replicate
the setup using Virtual PC. I have my DC up and running, then I
setup
a
member Server running 2003 Server Standard with SP2, this is going
to
be my
replica standalone root CA.

The strange thing I get is when I go to setup Certificate services
the
options for Enterprise CA and Enterpriose subordinate are available
but
when
I set this up in production they where greyed out. I assumed they
where not
available becuase I was running Server standard but here in my lab I
isntalled Standard and the Enterprise options are available. As if
PKI
wasnt
confusing enough.

The account you're logged in with needs to be an Enterprise Admin
account.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Your password is pitifully obvious.



.

Relevant Pages

  • Re: Securing Enterprise Policy from local admins
    ... > Admin is admin. ... >> All the .NET Framework security policy docs on the website speak to the ... >> has full control of the security settings through the machine policy. ... >> enterprise policy is intended to be managed at the enterprise and is why ...
    (microsoft.public.dotnet.security)
  • Re: AD design question
    ... The cases where you put in a root domain for the purposes of enterprise administration are very rare and specialised. ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Securing Enterprise Policy from local admins
    ... Admin is admin. ... but it is just the fact that a local admin on the box ... >>Enterprise Policy Administration ...
    (microsoft.public.dotnet.security)
  • Forest Prep fails
    ... it was decided that we should be using enterprise edtn. ... uninstalled the standard version but when I try to install ... The account I am using is a Member of: domain admin, ...
    (microsoft.public.exchange.setup)
  • [Full-Disclosure] (no subject)
    ... This is why the enterprise chose to deprecate all of the Unix servers ... pissed off admin planting time bombs in your system. ... The networking issue is a much bigger problem which we are still trying ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
    (Full-Disclosure)