Re: Enterprise CA on a domain controller

• Previous message: rav: "Enterprise CA on a domain controller"
• In reply to: rav: "Enterprise CA on a domain controller"
• Next in thread: burano: "Re: Enterprise CA on a domain controller"
• Reply: burano: "Re: Enterprise CA on a domain controller"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 21 Feb 2004 12:29:05 -0600

In article <#8FjMUG#DHA.3068@tk2msftngp13.phx.gbl>,
ravburano@hotmail.com says...
> Hi,
>
> Do you have to run an Enterprise CA on a DC for autoenrolment to work? I
> have read MS articles that state you have to and I have read other MS
> articles that state you should never install a CA on a DC even if it is
> technically possible to do so.
>
> The only thing I can clearly see is that you must have at least a DC running
> 2000 with sp3. But I assume that is for the AD schema only and it does not
> mean you must run a CA on a DC.
>
> So please please tell me I do not have to run my CA on a DC for
> autoenrolment to function for both user and computer certs.
>
> Thanks
>
>
>
You do not have to run the enterprise CA on a DC. What you do need is:
1) Application of the schema extensions to the Windows 2000 AD at a
minimum
2) Definition of a Group Policy object at the OU where the computer or
user account exists (depends on whether you are enabling autoenrollment
for the user or computer)
3) A certificate template that enables the Read, Enroll, and Autoenroll
permissions for the user/computer or for a group that contains the user
in its membership.
4) Publishing the certificate template at the enterprise CA so that it
is available for enrollment.

See the following WP for more details.

Autoenrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/plan/auto
enro.asp

Cert Templates:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/co
nfeat/ws03crtm.asp

Brian

• Previous message: rav: "Enterprise CA on a domain controller"
• In reply to: rav: "Enterprise CA on a domain controller"
• Next in thread: burano: "Re: Enterprise CA on a domain controller"
• Reply: burano: "Re: Enterprise CA on a domain controller"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Enterprise CA on a domain controller ... >> Do you have to run an Enterprise CA on a DC for autoenrolment to work? ... > 3) A certificate template that enables the Read, Enroll, and Autoenroll ... (microsoft.public.windows.server.security) Enterprise CA on a domain controller ... Do you have to run an Enterprise CA on a DC for autoenrolment to work? ... have read MS articles that state you have to and I have read other MS ... autoenrolment to function for both user and computer certs. ... (microsoft.public.windows.server.security)