Re: PKI Certificate Server Install in AD Empty Root Domain

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 07/21/05 

Date: Thu, 21 Jul 2005 11:59:14 -0500

Answers inline:

In article <eVKgergjFHA.1232@TK2MSFTNGP15.phx.gbl>,
fasteddie@therockwells.net.no.spam says...
> Platform: Windows 2003 AD with an empty root
>
> We are installing an Enterprise CA in our Active Directory 2003 Forest. All
> our resources, users, and computers and effective GP settings are in a
> domain under the empty forest root domain.
>
> My questions:
>
> If I install the CA in the forest root, will the certificates and auto
> issuing of certificates work correctly in the other domains within the
> forest or should I install the Enterprise CA in the domain that houses all
> the resources, machines and users?

It really does not matter which domain you install the certificates in.
Whichever domain you choose, you will have to do some additional work to
issue certificates to other domains in the forest.
1) Certificate templates. The default permissions will only include
groups in the forest root domain. You must modify permissions for other
domains to assign Read and Enroll perms (possibily autoenroll).
2) Publication to AD to the userCertificate attribute. An enterprise CA
by default can only publish certificates to user objects in the same
domain. Follow the instructions in Q281271 "Windows 2000 CA Config. to
Publish Certs in AD of Trusted Domain" to assign the correct perms to
the Cert Publishers group to the other domains in the forest.

>
> Also, can I use this CA to issue certs in another Forest?

No. A CA can only issue certs to users in the same forest. You can in
some cases, if the subject is provided in the request, but what you may
want to look at is a root that is not specific to either forest, and
then subordinate CAs in each forest.
>
> thanks,
>
> Fast Eddie
>
>
> 

-- 
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian

Relevant Pages

  • Enterprise Root Cas x 2?
    ... I have a AD Forest with two disjointed AD Domians being ... Enterprise Root CA ... Stand Alone Root CA ... As by normal train's of thought I'd install the Root ...
    (microsoft.public.win2000.security)
  • Re: Root DC needed in Test Environment
    ... Schema since it isn't the root of the forest, but you shouldn't need to have ... MVP - Directory Services ... I have an article on building a test lab from a production lab, ... We have a root domain and 3 sub domains in our forest. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory - security boundaries
    ... It doesn't actually make sense that the forest is the ONLY ... administrators in the internal domain (which is the forest root) will ... wouldn't be able to grant themselves access to resources in the other ... administrators of the standard domain can't grant themselves access to ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD 2003 - Empty root or Not!
    ... The main problem imho is that anyone in the domain administrators group (in ... the forest root domain) can elevation their privelegs and add themselves to ... the enterprise admins and schema admins groups. ... You can eliminate this risk by having a dedicated empty root domain. ...
    (microsoft.public.win2000.active_directory)
  • Re: AD 2003 - Empty root or Not!
    ... Seperates the sensitive enterprise admin and schema admin groups from the ... If you had a placeholder root domain....lets say corp.com ... forest wide sensitive groups in a production domain. ... DNS namespace managment. ...
    (microsoft.public.win2000.active_directory)