Re: Enterprise CA on a domain controller

From: burano (dave_at_williams3506.fsnet.co.uk)
Date: 02/22/04

Next message: Roger Abell [MVP]: "Re: Problems with complex password"

Previous message: Michael Barrett: "Re: Problems with complex password"
In reply to: Brian Komar : "Re: Enterprise CA on a domain controller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 22 Feb 2004 20:15:35 -0000

Thanks. My faith is restored.

"Brian Komar" <bkomar@komarconsulting.com.nospam> wrote in message
news:MPG.1aa15f6bda45c0dc9896c3@msnews.microsoft.com...
> In article <#8FjMUG#DHA.3068@tk2msftngp13.phx.gbl>,
> ravburano@hotmail.com says...
> > Hi,
> >
> > Do you have to run an Enterprise CA on a DC for autoenrolment to work? I
> > have read MS articles that state you have to and I have read other MS
> > articles that state you should never install a CA on a DC even if it is
> > technically possible to do so.
> >
> > The only thing I can clearly see is that you must have at least a DC
running
> > 2000 with sp3. But I assume that is for the AD schema only and it does
not
> > mean you must run a CA on a DC.
> >
> > So please please tell me I do not have to run my CA on a DC for
> > autoenrolment to function for both user and computer certs.
> >
> > Thanks
> >
> >
> >
> You do not have to run the enterprise CA on a DC. What you do need is:
> 1) Application of the schema extensions to the Windows 2000 AD at a
> minimum
> 2) Definition of a Group Policy object at the OU where the computer or
> user account exists (depends on whether you are enabling autoenrollment
> for the user or computer)
> 3) A certificate template that enables the Read, Enroll, and Autoenroll
> permissions for the user/computer or for a group that contains the user
> in its membership.
> 4) Publishing the certificate template at the enterprise CA so that it
> is available for enrollment.
>
> See the following WP for more details.
>
> Autoenrollment:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/plan/auto
> enro.asp
>
> Cert Templates:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/co
> nfeat/ws03crtm.asp
>
> Brian

Next message: Roger Abell [MVP]: "Re: Problems with complex password"

Previous message: Michael Barrett: "Re: Problems with complex password"
In reply to: Brian Komar : "Re: Enterprise CA on a domain controller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Enterprise CA on a domain controller
... > Do you have to run an Enterprise CA on a DC for autoenrolment to work? ... > have read MS articles that state you have to and I have read other MS ... You do not have to run the enterprise CA on a DC. ... A certificate template that enables the Read, Enroll, and Autoenroll ...
(microsoft.public.windows.server.security)
Enterprise CA on a domain controller
... Do you have to run an Enterprise CA on a DC for autoenrolment to work? ... have read MS articles that state you have to and I have read other MS ... autoenrolment to function for both user and computer certs. ...
(microsoft.public.windows.server.security)