Re: PKI Certificate Server Install in AD Empty Root Domain
From: FastEddie (fasteddie_at_therockwells.net.no.spam)
Date: 07/21/05
- Next message: FastEddie: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Previous message: Miha Pihler [MVP]: "Re: Trying to set port for Remote Desktop Connection on Win2K3"
- In reply to: kerberos_boy: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Next in thread: Brian Komar: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Jul 2005 14:43:09 -0500
Thanks. Just what I was looking for.
-Fasteddie
"kerberos_boy" <kerberos_boy@yahoo.com> wrote in message
news:1121971277.827762.326290@g44g2000cwa.googlegroups.com...
> >From Microsoft Technet document "Windows Server 2003 PKI Operations
> Guide":
>
> "Best Practice:
> The recommended best practice is to install CAs as a member of the root
> domain in the forest to provide centralized administration and control
> of the PKI services. For additional best practices, see the Windows
> Server 2003 Resource Kit."
>
> Please see this link:
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>
> HTH,
>
> Kerberos_Boy
>
> Brian Komar wrote:
>> Answers inline:
>>
>>
>>
>> In article <eVKgergjFHA.1232@TK2MSFTNGP15.phx.gbl>,
>> fasteddie@therockwells.net.no.spam says...
>> > Platform: Windows 2003 AD with an empty root
>> >
>> > We are installing an Enterprise CA in our Active Directory 2003 Forest.
>> > All
>> > our resources, users, and computers and effective GP settings are in a
>> > domain under the empty forest root domain.
>> >
>> > My questions:
>> >
>> > If I install the CA in the forest root, will the certificates and auto
>> > issuing of certificates work correctly in the other domains within the
>> > forest or should I install the Enterprise CA in the domain that houses
>> > all
>> > the resources, machines and users?
>>
>> It really does not matter which domain you install the certificates in.
>> Whichever domain you choose, you will have to do some additional work to
>> issue certificates to other domains in the forest.
>> 1) Certificate templates. The default permissions will only include
>> groups in the forest root domain. You must modify permissions for other
>> domains to assign Read and Enroll perms (possibily autoenroll).
>> 2) Publication to AD to the userCertificate attribute. An enterprise CA
>> by default can only publish certificates to user objects in the same
>> domain. Follow the instructions in Q281271 "Windows 2000 CA Config. to
>> Publish Certs in AD of Trusted Domain" to assign the correct perms to
>> the Cert Publishers group to the other domains in the forest.
>>
>> >
>> > Also, can I use this CA to issue certs in another Forest?
>>
>> No. A CA can only issue certs to users in the same forest. You can in
>> some cases, if the subject is provided in the request, but what you may
>> want to look at is a root that is not specific to either forest, and
>> then subordinate CAs in each forest.
>> >
>> > thanks,
>> >
>> > Fast Eddie
>> >
>> >
>> >
>>
>> --
>> ==
>> Brian Komar
>> MVP - Windows - Security
>> http://www.identit.ca/blogs/brian
>
- Next message: FastEddie: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Previous message: Miha Pihler [MVP]: "Re: Trying to set port for Remote Desktop Connection on Win2K3"
- In reply to: kerberos_boy: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Next in thread: Brian Komar: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
