Re: Enroll smart cards for different domain

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 09/19/03 

Date: Fri, 19 Sep 2003 06:27:59 -0700

No, I am sorry, a CA may only support one forest currently based on its
architecture. We will look to remove this limitation in future versions of
Windows Server. 

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Hans Walder" <hans.walder@pointag.net> wrote in message
news:OfXyRQbfDHA.2152@tk2msftngp13.phx.gbl...
> Hello David,
>
> thank you again for your answer.
>
> Each of our domain belongs to one school and each domain is in its own
> forest :(.
>
> Students from School A will also come to School B.
>
> But School A is only going to use smart card logon (at the moment) but
> students
> from School B should also be able to logon to our computers (with smart
> cards -
> because the smart card also contains several other services, i.e.
> printing,...).
>
> We have raised all domains to Native Mode and they trust each other.
>
> Would it work if we also raise the Forest to Native Mode and make a trust
> between the Forests?
>
> Thank you everyone for any idea.
> Best regards,
> Hans
>
> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> news:eB8YbLXfDHA.128@tk2msftngp13.phx.gbl...
> > yes this is supported as long as both domains are in the same forest,
what
> > is failing?
> >
> > make sure both CAs can issue the same template.
> >
> > Best Practices:
> >
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/ws3pkibp.asp
> >
> >
> > -- 
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > http://support.microsoft.com
> >
> > "Hans Walder" <hans.walder@pointag.net> wrote in message
> > news:%23YuQudTfDHA.556@TK2MSFTNGP11.phx.gbl...
> > > By the way, we are using Windows Server 2003 Native Mode and Windows
XP
> > > Professional Workstation.
> > >
> > > Thanks to all,
> > > Hans
> > >
> > > "Hans Walder" <hans.walder@pointag.net> wrote in message
> > > news:50fd01c37d1d$590db520$a501280a@phx.gbl...
> > > > Hi everyone,
> > > >
> > > > We have the following test enviroment:
> > > >
> > > > Domain A
> > > > - Domain Controller
> > > > - Enterprise Certificate Authority (member of domain A)
> > > >
> > > > Domain B
> > > > - Domain Controller
> > > >
> > > > And both domains trust each other.
> > > >
> > > > I can enroll smart cards for users from domain A.
> > > >
> > > > But is it also possible to do it for users from domain B?
> > > > Or do we have to have our own CA for each domain?
> > > >
> > > > Small Hint: When I create a folder and want to add a user
> > > > to the security tab I can choose users from both domains
> > > > but if I enroll a smart card I can only choose them from
> > > > domain A.
> > > >
> > > > Is this because the CA is only trusted to Domain
> > > > Controller A but not do Domain Controller B?
> > > >
> > > > Does someone have any experiences on that?
> > > >
> > > > Thank you all,
> > > > Hans
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: A personal story
    ... quickly ignore his posts. ... Every time you call him Forest, despite your best attempts at denial due ... a school for the mentally challenged. ... Mr Pot, meet Mr Kettle. ...
    (uk.sport.football.clubs.celtic)
  • Re: Enroll smart cards for different domain
    ... Students from School A will also come to School B. ... because the smart card also contains several other services, ... Would it work if we also raise the Forest to Native Mode and make a trust ...
    (microsoft.public.windows.server.security)
  • Re: ATWT -- Tuesdays Show
    ... I'm glad to know I'm not the only one who thought the sex in the woods ... I knew a young woman who was two years behind me in high school and I ... Indeed, I've lived in some seedy neighborhoods over the years, but the only place I've ever seen someone put a needle in their arm was in the girl's room at Lake Forest Academy. ...
    (rec.arts.tv.soaps.cbs)
  • Re: Enroll smart cards for different domain
    ... > No, I am sorry, a CA may only support one forest currently based on its ... >> Students from School A will also come to School B. ... >> We have raised all domains to Native Mode and they trust each other. ... >> Best regards, ...
    (microsoft.public.windows.server.security)
  • Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
    ... configuration should work, and would be supported, with communication between different Forest Primary Sites across forest boundaries without trusts, without IBCM and without Native Mode- PKI, although there is still a huge question mark in my opinion because Microsoft seems to have conflicting documentation on exactly what is supported when it comes to Forest to Forest communications. ... They also agreed with me that the best way to implement this is with IBCM, which my client is not agreeable to. ... distribution points are in that domain, and your clients are in Forest2/DomainB, you would create the network access account in DomainA. ... But you might have to do some global/local/universal group things to make sure the DomainA\network access account had permissions on the dps in X and Y. Note that having an additional distribution point in Forest2/DomainB is not supported, because we don't support distribution points across forest boundaries unless they are supporting Internet-based clients. ...
    (microsoft.public.sms.setup)