Re: Enteprisesubordinate CA in parent:child domains

From: IdentIT Inc (bkomar_at_nospam.identit.ca)
Date: 02/17/05

  • Next message: Fazil: "Re: RAID" 
    Date: Wed, 16 Feb 2005 22:07:56 -0600

    In article <5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com>, "=?Utf-
    8?B?VmxhZGltaXIgSmlyYXNlaw==?=" <Vladimir
    Jirasek@discussions.microsoft.com> says...
    > Hello,
    > I have root domain AD and child CHILD, 2000 native mode. AD is really a root
    > with no user and compuer objects while CHILD conatins all. I want to install
    > Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to issue
    > computer certificates.
    > questions I have so far:
    > 1. what domain should I install CA into: AD or CHILD?
    > So far I have install CA to CHILD and when I want to edit GPO in CHILD
    > domain to do auto-enrolnment for computers I can see templates but no issuing
    > CA. Same applies when I install it to AD domain.
    >
    It really does not matter which domain you place the enterprise CA in.
    The catch is that the permissions on the comptuer certificate templates
    assume a single domain forest.

    You must modify the permissions for *any* certificate template to allow
    users/computers from *all* domains to have the Read and Enroll
    permissions (and the Autoenroll permissions for v2 templates).

    Use certtmpl.msc to modify the permissions to add, for example, the
    Child\domain computers group and assign the Read, Enroll, and Autoenroll
    permissions.

    The decision on which domain to place the comptuer account is typically
    based on the number of domain admins in each domain, or the GPO
    deployment and management of the specific domains.

    It does not affect the issuance of certs.

    Also, remember to assign the autoenrollment GPO to the Computers
    Configuration in the domain where the computer accounts exist. In your
    case, the GPO must be linked to both domains in the forest.

    Brian

    <SNIP>

  • Next message: Fazil: "Re: RAID"

    Relevant Pages

    • Re: Domain Security Problem - Please advise
      ... Fair point about the permissions being use in replmon, ... DCOM is configured and working on the child and root DC's, but I've reset the DCOM security on this anyway using 'certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG' then stopping and restarting certsvc on both the root and subordinate CA's. ... This 'setup' has allowed replication and CA config to work without a problem for a long time. ...
      (microsoft.public.windows.server.security)
    • Re: Domain Security Problem - Please advise
      ... We have a separate forest root, with child sub-domains which the users log into. ... I've done quite a lot of research on this, and although the symptoms appear to be certificate related, I thought it might actually be a DCOM permissions problem, but from what I can see, everything looks ok. ... If I check the membership of the CERTSVC_DCOM_ACCESS security group in the forest root, all child DC's/computers/domain users membership is correct. ...
      (microsoft.public.windows.server.security)
    • Re: adminDSholder being over zealous!
      ... since previously - the admincount value is also set as 1 on the actual GROUP ... > That means the account is supposed to be using the AdminSDHolder ACL. ... >> {This object is protected from inheriting permissions ... >> CHILD ...
      (microsoft.public.win2000.security)
    • Re: Delegation in AD not working
      ... That is why I wanted dsacls, it is the most accurate display of what is going on ... permissions tab so anything applied to an OU will not impact one of these IDs ... > CHILD ...
      (microsoft.public.win2000.active_directory)
    • Re: manipulating non-inherited permissions on folders
      ... I've noticed that when I create a directory which I establish not to inherit permissions for itself and its children. ... Then I give modify privileges to some normal user, and full control to "administrator" the administrator is actually denied access to any of the child folders. ...
      (microsoft.public.windows.server.general)