Re: PKI Certificate Server Install in AD Empty Root Domain
From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 07/22/05
- Next message: Brian Komar: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Previous message: Sensay: "internet restriction"
- In reply to: FastEddie: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Jul 2005 06:59:28 -0500
In article <eUPMiBjjFHA.3448@TK2MSFTNGP12.phx.gbl>,
fasteddie@therockwells.net.no.spam says...
> Questions inline:
>
>
>
> "Brian Komar" <MVPbkomar@nospam.identit.ca> wrote in message
> news:MPG.1d49905ceafd6bb39896c3@msnews.microsoft.com...
> > Answers inline:
> >
> >
> >
> > In article <eVKgergjFHA.1232@TK2MSFTNGP15.phx.gbl>,
> > fasteddie@therockwells.net.no.spam says...
> >> Platform: Windows 2003 AD with an empty root
> >>
> >> We are installing an Enterprise CA in our Active Directory 2003 Forest.
> >> All
> >> our resources, users, and computers and effective GP settings are in a
> >> domain under the empty forest root domain.
> >>
> >> My questions:
> >>
> >> If I install the CA in the forest root, will the certificates and auto
> >> issuing of certificates work correctly in the other domains within the
> >> forest or should I install the Enterprise CA in the domain that houses
> >> all
> >> the resources, machines and users?
> >
> > It really does not matter which domain you install the certificates in.
> > Whichever domain you choose, you will have to do some additional work to
> > issue certificates to other domains in the forest.
> > 1) Certificate templates. The default permissions will only include
> > groups in the forest root domain. You must modify permissions for other
> > domains to assign Read and Enroll perms (possibily autoenroll).
> > 2) Publication to AD to the userCertificate attribute. An enterprise CA
> > by default can only publish certificates to user objects in the same
> > domain. Follow the instructions in Q281271 "Windows 2000 CA Config. to
> > Publish Certs in AD of Trusted Domain" to assign the correct perms to
> > the Cert Publishers group to the other domains in the forest.
> >
> >>
> >> Also, can I use this CA to issue certs in another Forest?
> >
> > No. A CA can only issue certs to users in the same forest. You can in
> > some cases, if the subject is provided in the request, but what you may
> > want to look at is a root that is not specific to either forest, and
> > then subordinate CAs in each forest.
>
> So you are saying I could have a Ent CA in my forest root (forest A, Domain
> A) and a subordinate in my member domain (Forest A, Domain B) to auto issue
> certs for machines and accounts?
Not quite.
A root CA in this scenario should be an offline CA (not a member of any
forest and running as a standalone CA). Then place a subordinate
enterprise CA in each forest to allow issuance of certificates to users,
computers, and devices in the two forests.
See the best practices white paper at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/
operate/ws3pkibp.asp
Brian
-- == Brian Komar MVP - Windows - Security http://www.identit.ca/blogs/brian
- Next message: Brian Komar: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Previous message: Sensay: "internet restriction"
- In reply to: FastEddie: "Re: PKI Certificate Server Install in AD Empty Root Domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
