Issuing Domain Controller certificates manually

From: Sebastian Lisken (Sebastian.Lisken@Uni-Bielefeld.DE)
Date: 03/12/03

• Next message: Jeff Cochran: "Re: patch management policy/practice"
• Previous message: fasahat shafi: "group policy"
• Next in thread: Rajesh: "Issuing Domain Controller certificates manually"
• Reply: Rajesh: "Issuing Domain Controller certificates manually"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Sebastian Lisken <Sebastian.Lisken@Uni-Bielefeld.DE>
Date: Wed, 12 Mar 2003 14:18:22 +0100

Hi, I am trying to use the Microsoft CA, mostly the Enterprise
variety (I have tried stand-alone as well), to issue certificates
to domain controllers. I am aware of the procudure outlined in
Knowledge Base article Q247078
("http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q247078&").
This will install a procedure that will automatically generate
domain controller certificates. However I would like to know if
this certificate template (as well as the Computer certificate
template) could also be used with an more manual issuing
procedure, such as the web interface to the CA (or by somehow
generating a certificate request on the domain controller).
If you use the web interface, you will notice that these two
templates ("Computer" and "Domain Controller") are not among the
choices if you "submit a request using a form". The template
is however present in the CA snap-in (see
"http://www.microsoft.com/windows2000/en/advanced/help/sag_CSprocs_CertTempPolicy.htm"),
and when I inspect the permissions of the templates in "Active
Directory Sites and Services"
("http://www.microsoft.com/windows2000/en/advanced/help/sag_CSprocs_CertTempACL.htm")
I can't find a decisive difference to explain why the template
should not be in the web interface.

Any comments appreciated.

Sebastian Lisken

---

• Next message: Jeff Cochran: "Re: patch management policy/practice"
• Previous message: fasahat shafi: "group policy"
• Next in thread: Rajesh: "Issuing Domain Controller certificates manually"
• Reply: Rajesh: "Issuing Domain Controller certificates manually"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Event ID 13 - automatic certificate enrollment error ... add Domain Controllers to it and check enroll ... > MMC for the certificate authority I can see the certificate templates ... > folder and when I select it I can then see Domain Controller on the ... > manage I can see the template Domain Controller. ... (microsoft.public.windows.server.active_directory) Re: Microsoft PKI: problem with autoenrollment for domain controllers ... Microsoft CAs are hard coded to request the Domain Controller certificate. ... WIndows SErver 2003 introduced the Domain Controller AUthentication certificate template, ... (microsoft.public.windows.server.security) Re: Event ID 13 - automatic certificate enrollment error ... I'm having problems understanding how to set permissions. ... MMC for the certificate authority I can see the certificate templates folder ... I can see the template Domain Controller. ... (microsoft.public.windows.server.active_directory) RE: Certificate Problem - Smart Card Logon ... Is your Domain Controller being issued the Domain Controller Authentication ... Authentication template which is a version 2 template for 2003 Domain ... and "Update certificates that use the certificate templates". ... (microsoft.public.win2000.security) RE: Certsrv and Autoenrollment problem ... Thank you for posting to the SBS Newsgroup. ... so it will not be instantiated on the template ... Certificate Authority snap-in will show the templates in the Certificate ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)