Windows 2000 CA implementation

From: Robert Field (rob.field_at_lstrillium.com)
Date: 06/17/04 

Date: 17 Jun 2004 05:30:24 -0700

I am in the middle of putting a PKI in for our company. The design I
have implemented is as follows. In our Windows 2000 Forest we have an
empty root (Root.Domain) and we have two other trees (Domain1 and
Domain2).

I've got a Windows 2003 server hosting our ROOTCA this sits in it's
own work group.

I then created an Enterprise subordinate CA on one of the DC's sitting
in Root.Domain this installed ok. Part of the install required me to
create a request file to get a certificate from the ROOTCA. This I i
did. We then sent the request via web enrollment, approved it on the
ROOTCA and then installed it on the domain controller in the
Root.Domain.

After this I then installed a second Enterprise Subordinate this time
on a domain controller in Domain1. I Pointed this towards the
subordinate ca on the domain controller in Root.Domain. Everything
seemed to be working ok.

(I was logged on as Enterprise Admin for the two steps above)

Now I am trying to automatically deploy a computer certificate to a
certain number of our Domain1 Laptops. When I log on as an Enterprise
Admin on a DC in Domain 1 I can see the two Subordinate CA's in the
Forest. When I log on as a Domain Admin in Domain1 I cannot see any of
the CA's. I've checked all the permissions in AD Site's and Services
and ensured Domain Admins and Domain Computers have Read and Enroll
rights to them.

First of all. Are there any issues with my proposed ca design? And
secondly I am guessing the issue I have is a permissions problem but I
am running out of places to check, does anyone have any ideas.

Robert Field
Land Securities
rob.field@lstrillium.com

Relevant Pages

  • Need Help with my PKI again
    ... In our Windows 2000 Forest we have an ... I then created an Enterprise subordinate CA on one of the DC's sitting ... Part of the install required me to ... When I log on as a Domain Admin in Domain1 I cannot see any of ...
    (microsoft.public.win2000.security)
  • Re: Need Help with my PKI again
    ... > For security reasons I wouldn't install CA server on DC server. ... >> I then created an Enterprise subordinate CA on one of the DC's sitting ... Part of the install required me to>> create a request file to get a certificate from the ROOTCA. ... When I log on as a Domain Admin in Domain1 I cannot see any of>> the CA's. ...
    (microsoft.public.win2000.security)
  • Re: Need Help with my PKI again
    ... For security reasons I wouldn't install CA server on DC server. ... > I then created an Enterprise subordinate CA on one of the DC's sitting ... When I log on as a Domain Admin in Domain1 I cannot see any of ...
    (microsoft.public.win2000.security)
  • Re: Applications/programs that require admin rights
    ... Updates to Restricted Groups ("Member of") behavior of user-defined local ... Systems Administrator ... you need to be Domain Admin to install software on a ... or use the runas command to install the app on ...
    (microsoft.public.windows.server.active_directory)
  • Re: Applications/programs that require admin rights
    ... Systems Administrator ... the user in which I want to grant premissions to install the application. ... you need to be Domain Admin to install software on a ... I then try to install the program using that account ...
    (microsoft.public.windows.server.active_directory)
Loading