Re: Enterprise Certificate Authority question
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/13/04
- Next message: Steven L Umbach: "Re: Pass-through Authentication Between Trusted Domains Not Working"
- Previous message: SteveO: "Re: Pass-through Authentication Between Trusted Domains Not Working"
- In reply to: T0GGLe: "Re: Enterprise Certificate Authority question"
- Next in thread: T0GGLe: "Re: Enterprise Certificate Authority question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Oct 2004 15:59:13 GMT
Active Directory does not require the use of a Certificate Authority. Mike
already gave some ways to find CA and you also might want to look in AD
Users and Computers for membership of the Cert publishers group which may
not be 100 percent correct if someone added or removed servers from it but
still a place to check. However problems with certificates can cause
problems if their use is required. I would look in the mmc certificates
snapin for computers on the server giving you the error messages to see what
certificates the dc has been issued and the purposes in their properties. It
will of course have a domain controller certificate. Check the valid from
date on the certificates to see if any have expired. If they have you can
request a new certificate or renew it by right clicking the certificate and
selecting all tasks. Domain controllers will use their certificate for ssl
ldap if valid. Another possibility is that someone set the domain
controllers up to use ipsec with certificate machine authentication for
communications among themselves. You could use the support tool netdiag as
in " netdiag /test:ipsec " to see if there is an ipsec policy assigned to
the domain controller. If there, is as long as it is not a "require" policy,
communications among computers in that ipsec policy will still work. If
everything functions correctly you can ignore the errors or delete the
certificates if you no longer want to use them. I would however run the
support tool dcdiag on the domain controller in question to make sure that
it is functioning correctly as a domain controller and
communicating/replicating with other domain controllers. Support tools are
on the install disk in the support/tools folder where you will need to run
the setup program to install them as a set. Note that you can use the mmc
certificates snapin to manage/view computer certificates of remote computers
as long as you have admin rights on the target computer. -- Steve
"T0GGLe" <jehova1@dsl.pipex.com> wrote in message
news:5a657c10.0410130100.10ffe890@posting.google.com...
> Thanks very much to the pair of you.
>
> I am trawling through that info to try to find answers, but do you
> know if active directory actually REQUIRES the issuing of
> certificates? It's just that someone else set up our AD and the more
> and more i look into it the more problems and diversions from best
> practise i keep finding. Not that in this case the person in question
> was doing something wrong, perhaps they were looking for extra
> security, but when the KDC starts complaining that its certificate is
> now invalid it's got us wondering what on earth is going on and what
> ramifications that has.
>
> Cheers again.
- Next message: Steven L Umbach: "Re: Pass-through Authentication Between Trusted Domains Not Working"
- Previous message: SteveO: "Re: Pass-through Authentication Between Trusted Domains Not Working"
- In reply to: T0GGLe: "Re: Enterprise Certificate Authority question"
- Next in thread: T0GGLe: "Re: Enterprise Certificate Authority question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
