Re: Changing Global Group to Domain Local Group.

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/07/05 

Date: Thu, 6 Jan 2005 18:10:48 -0600

I have never had to deal with that but see if the info in the link below is
helpful. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;281271

"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
> In my Windows 2000 domain (native mode), that is almost completly upgraded
> to Windows 2003 I want to change my Cert Publishers group from a Global
> Group to a Domain Local Group. If you install 2003 from scratch and make
> it a domain controller this group is a Domain Local Group even if you are
> in Windows 2000 native mode. Currently the ability to switch this group
> is greyed out.
>
> The reasoning behind this is we are building a 2-tiered Certificate
> Authority structure with the Issuing Certificate Authority in the Root
> domain. All users and computer objects are in the child domain. So
> unless I can put the CA computer object that is in the root domain in the
> Child domain Cert Publishers group, the certificates issued to users in
> the child domain do not work. If the Cert publishers group is a Domain
> Local group I can easily see the CA server in the Root Domain and can add
> it correctly.
>
> Does anyone have any experience with 2-tiered CA's within a 2-tiered
> forest?
>
> Thanks
>
> Rob McShinsky
>

Relevant Pages

  • Re: Changing Global Group to Domain Local Group.
    ... >>>> upgraded to Windows 2003 I want to change my Cert Publishers group ... >>>> Authority structure with the Issuing Certificate Authority in the Root ... All users and computer objects are in the child domain. ... >>>> Domain Local group I can easily see the CA server in the Root Domain ...
    (microsoft.public.windows.server.general)
  • Re: Changing Global Group to Domain Local Group.
    ... >>>> upgraded to Windows 2003 I want to change my Cert Publishers group ... >>>> Authority structure with the Issuing Certificate Authority in the Root ... All users and computer objects are in the child domain. ... >>>> Domain Local group I can easily see the CA server in the Root Domain ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing Global Group to Domain Local Group.
    ... >>>> upgraded to Windows 2003 I want to change my Cert Publishers group ... >>>> Authority structure with the Issuing Certificate Authority in the Root ... All users and computer objects are in the child domain. ... >>>> Domain Local group I can easily see the CA server in the Root Domain ...
    (microsoft.public.windows.server.security)
  • Re: Changing Global Group to Domain Local Group.
    ... > to Windows 2003 I want to change my Cert Publishers group from a Global ... > Authority structure with the Issuing Certificate Authority in the Root ... All users and computer objects are in the child domain. ... > unless I can put the CA computer object that is in the root domain in the ...
    (microsoft.public.windows.server.general)
  • Re: Changing Global Group to Domain Local Group.
    ... > to Windows 2003 I want to change my Cert Publishers group from a Global ... > Authority structure with the Issuing Certificate Authority in the Root ... All users and computer objects are in the child domain. ... > unless I can put the CA computer object that is in the root domain in the ...
    (microsoft.public.windows.server.active_directory)