Need Help with my PKI again

From: Robert Field (rob.field_at_lstrillium.com)
Date: 06/18/04

  • Next message: Nicole: "Outlook Preview Pane questions" 
    Date: 18 Jun 2004 08:46:46 -0700

    I am in the middle of putting a PKI in for our company. The design I
    have implemented is as follows. In our Windows 2000 Forest we have an
    empty root (Root.Domain) and we have two other trees (Domain1 and
    Domain2).

    I've got a Windows 2003 server hosting our ROOTCA this sits in it's
    own work group.

    I then created an Enterprise subordinate CA on one of the DC's sitting
    in Root.Domain this installed ok. Part of the install required me to
    create a request file to get a certificate from the ROOTCA. This I i
    did. We then sent the request via web enrollment, approved it on the
    ROOTCA and then installed it on the domain controller in the
    Root.Domain.

    After this I then installed a second Enterprise Subordinate this time
    on a domain controller in Domain1. I Pointed this towards the
    subordinate ca on the domain controller in Root.Domain. Everything
    seemed to be working ok.

    (I was logged on as Enterprise Admin for the two steps above)

    Now I am trying to automatically deploy a computer certificate to a
    certain number of our Domain1 Laptops. When I log on as an Enterprise
    Admin on a DC in Domain 1 I can see the two Subordinate CA's in the
    Forest. When I log on as a Domain Admin in Domain1 I cannot see any of
    the CA's. I've checked all the permissions in AD Site's and Services
    and ensured Domain Admins and Domain Computers have Read and Enroll
    rights to them.

    First of all. Are there any issues with my proposed ca design? And
    secondly I am guessing the issue I have is a permissions problem but I
    am running out of places to check, does anyone have any ideas.

    Robert Field
    Land Securities
    rob.field@lstrillium.com

  • Next message: Nicole: "Outlook Preview Pane questions"

    Relevant Pages

    • Windows 2000 CA implementation
      ... In our Windows 2000 Forest we have an ... I then created an Enterprise subordinate CA on one of the DC's sitting ... Part of the install required me to ... When I log on as a Domain Admin in Domain1 I cannot see any of ...
      (microsoft.public.windows.server.security)
    • Re: Need Help with my PKI again
      ... > For security reasons I wouldn't install CA server on DC server. ... >> I then created an Enterprise subordinate CA on one of the DC's sitting ... Part of the install required me to>> create a request file to get a certificate from the ROOTCA. ... When I log on as a Domain Admin in Domain1 I cannot see any of>> the CA's. ...
      (microsoft.public.win2000.security)
    • Re: Need Help with my PKI again
      ... For security reasons I wouldn't install CA server on DC server. ... > I then created an Enterprise subordinate CA on one of the DC's sitting ... When I log on as a Domain Admin in Domain1 I cannot see any of ...
      (microsoft.public.win2000.security)
    • Re: Applications/programs that require admin rights
      ... Updates to Restricted Groups ("Member of") behavior of user-defined local ... Systems Administrator ... you need to be Domain Admin to install software on a ... or use the runas command to install the app on ...
      (microsoft.public.windows.server.active_directory)
    • Re: Applications/programs that require admin rights
      ... Systems Administrator ... the user in which I want to grant premissions to install the application. ... you need to be Domain Admin to install software on a ... I then try to install the program using that account ...
      (microsoft.public.windows.server.active_directory)
    Loading