Re: Need Help with my PKI again
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 06/19/04
- Next message: slapshot492003_at_yahoo.ca: "password"
- Previous message: David Cross [MS]: "Re: Failed Cert Request with MSCEP"
- In reply to: Miha Pihler: "Re: Need Help with my PKI again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Jun 2004 07:28:19 -0700
Our best practices guide or MSA guide should help provide you some guidance:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Microsoft Systems Architecture:
http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Miha Pihler" <mihap-news@atlantis.si> wrote in message news:uT7sQqWVEHA.3516@TK2MSFTNGP10.phx.gbl... > Why do you have an empty root domain? > > For security reasons I wouldn't install CA server on DC server. Beside that > you can e.g. encounter problems later when you would like to e.g. upgrade > your DC and you might not be able to because of CA server and your whole > domain level will have to stay that way because of CA server... > > Mike > > "Robert Field" <rob.field@lstrillium.com> wrote in message > news:4037a39f.0406180746.3632f357@posting.google.com... > >I am in the middle of putting a PKI in for our company. The design I > > have implemented is as follows. In our Windows 2000 Forest we have an > > empty root (Root.Domain) and we have two other trees (Domain1 and > > Domain2). > > > > I've got a Windows 2003 server hosting our ROOTCA this sits in it's > > own work group. > > > > > > I then created an Enterprise subordinate CA on one of the DC's sitting > > in Root.Domain this installed ok. Part of the install required me to > > create a request file to get a certificate from the ROOTCA. This I i > > did. We then sent the request via web enrollment, approved it on the > > ROOTCA and then installed it on the domain controller in the > > Root.Domain. > > > > After this I then installed a second Enterprise Subordinate this time > > on a domain controller in Domain1. I Pointed this towards the > > subordinate ca on the domain controller in Root.Domain. Everything > > seemed to be working ok. > > > > (I was logged on as Enterprise Admin for the two steps above) > > > > > > Now I am trying to automatically deploy a computer certificate to a > > certain number of our Domain1 Laptops. When I log on as an Enterprise > > Admin on a DC in Domain 1 I can see the two Subordinate CA's in the > > Forest. When I log on as a Domain Admin in Domain1 I cannot see any of > > the CA's. I've checked all the permissions in AD Site's and Services > > and ensured Domain Admins and Domain Computers have Read and Enroll > > rights to them. > > > > First of all. Are there any issues with my proposed ca design? And > > secondly I am guessing the issue I have is a permissions problem but I > > am running out of places to check, does anyone have any ideas. > > > > Robert Field > > Land Securities > > rob.field@lstrillium.com > >
- Next message: slapshot492003_at_yahoo.ca: "password"
- Previous message: David Cross [MS]: "Re: Failed Cert Request with MSCEP"
- In reply to: Miha Pihler: "Re: Need Help with my PKI again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
