Re: Certificate template modifying

• Previous message: Shawn Corey [MSFT]: "Re: Certificate template modifying"
• In reply to: schapman: "Re: Certificate template modifying"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 24 Sep 2004 08:01:04 +0200

Hi,

I don't know if you have Windows 2003 active directory. If you only have
Windows 2000 active directory, you can still setup Windows 2003 Enterprise
CA, but before you do, you will have to upgrade Windows 2000 active
directory schema to Windows 2003.

If you need to upgrade your schema watch out for this "Windows Server 2003
adprep /forestprep Command Causes Mangled Attributes in Windows 2000 Forests
That Contain Exchange 2000 Servers"
http://support.microsoft.com/default.aspx?scid=kb;en-us;314649

Mike

"schapman" <schapman@inlandkwpp.com> wrote in message
news:4mk6l0h1jmrgjbd72reasfbcpru2fq1mm7@4ax.com...
> Well. that explains it :) Time to see if we have any licenses of
> enterprise I guess.
>
> On Thu, 23 Sep 2004 23:10:24 +0200, "Miha Pihler"
> <mihap-news@atlantis.si> wrote:
>
> >To answer second part of your question. Yes, it is possible to allow
> >certaing users to access only certain templates. Again you will need
Windows
> >2003 Enterprise setup of Windows CA. Then you can use permissions to
allow
> >users to access only certain templates or use auto-enrollment based on
users
> >permissions.
> >
> >Check links in my previous post. Specically "Implementing and
Administering
> >Certificate Templates in Windows Server 2003"
> >
> >Mike
> >
> >"Miha Pihler" <mihap-news@atlantis.si> wrote in message
> >news:%23MtpUEboEHA.800@TK2MSFTNGP14.phx.gbl...
> >> Hi,
> >>
> >> Version 2 certificate templates (edited templates) can only be used to
> >issue
> >> certificates on CA
> >> server that was installed on Windows 2003 Enterprise Edition (not on
> >Windows
> >> 2003 Standard Edition).
> >> CA server also has to be setup as Windows 2003 Enterprise CA service
> >> (integrated in AD) not as Windows 2003 standalone CA server.
> >>
> >> Implementing and Administering Certificate Templates in Windows Server
> >2003
> >>
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
/security/ws03crtm.mspx
> >>
> >> Best Practices for Implementing a Microsoft Windows Server2003 Public
Key
> >> Infrastructure
> >>
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
/security/ws3pkibp.mspx
> >>
> >> PKI Enhancements in Windows XP Professional and Windows Server 2003
> >> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
> >>
> >> Windows Server 2003 PKI Operations Guide
> >>
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
/security/ws03pkog.mspx
> >>
> >> Managing a Windows Server 2003 Public Key Infrastructure
> >>
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
/security/mngpki.mspx
> >>
> >> Advanced Certificate Enrollment and Management
> >>
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
/security/advcert.mspx
> >>
> >> Mike
> >>
> >> "schapman" <sean.chapman@gmail.com> wrote in message
> >> news:b9ddedc8.0409231251.6d586645@posting.google.com...
> >> > I set up a windows 2003 server and am trying to use it as a
> >> > Certificate Authority. I gave it a name, put it on the domain, and
can
> >> > issue certificates with no problem. However, I'm trying to modify a
> >> > certificate template so that I can disable the option to mark keys as
> >> > exportable. When I try and load up certtmpl.msc, I get the following
> >> > error:
> >> >
> >> > Windows could not create the object identifier list. This computer is
> >> > not joined to a domain. Certificate templates are not available.
> >> >
> >> > I don't really understand whats going on here as the computer is on
> >> > the domain. I tried uninstalling the certificate authority, taking
the
> >> > machine off the network, re-adding it, and re-installing the
> >> > certificate authority but I get the same issue. Any ideas would be
> >> > appreciated.
> >> >
> >> > Also, is there a way to have it so that certain people requesting
> >> > certificates can only request a specific template while having other
> >> > users be able to pick any they want?
> >>
> >>
> >
>

• Previous message: Shawn Corey [MSFT]: "Re: Certificate template modifying"
• In reply to: schapman: "Re: Certificate template modifying"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: AD sites and services ... A search for "Active Directory Sites" yeilds the following: ... After an Unsuccessful Domain Controller Demotion" ... http://support.microsoft.com?kbid=220140 "FRS Replication Protocol and Topology ... Windows 2000 Domain Controllers" ... (microsoft.public.win2000.active_directory) Re: Migration AD from Windows 2000 to 2003 ... Do you want to migrate or upgrade the existent Forest? ... Best Practice Active Directory Design for Managing Windows Networks ... Windows Server 2003 Tools ... (microsoft.public.windows.server.active_directory) Re: i got 6 server in company which contains NT4 , windows 2000 , windowser 2003 ... Best Practice Active Directory Design for Managing Windows Networks ... Windows Server 2003 Tools ... ensure that you have designed a DNS and Active ... (microsoft.public.windows.server.active_directory) Re: Urgent Advise - [WildPacket] ... Best Practice Active Directory Design for Managing Windows Networks ... Windows Server 2003 Tools ... ensure that you have designed a DNS and Active ... (microsoft.public.windows.server.active_directory) Re: Domain/Forest consolidation question ... Best Practice Active Directory Design for Managing Windows Networks ... Windows Server 2003 Tools ... ensure that you have designed a DNS and Active ... (microsoft.public.windows.server.active_directory)