Re: Strange; setting up CA for DC IPsec- how did the DCs autoenroll?
- From: "Brian Komar" <brian.komar@xxxxxxxxxxxxxxxxx>
- Date: Sun, 13 Jan 2008 03:42:01 -0600
A couple of things.
The Domain Controller certificate is a version 1 certificate template, and will deploy automatically using Automatic Certificate Request Settings. DCs are hard coded to request this certificate (if available).
- You are a bit mistaken on the functionality of the standard edition SKU and enterprise CAs. You will be unable to deploy *any* certificates based on version 2 certificate templates. So there would be no auto-requests as you describe waiting for approval.
Brian
"Thomas H" <ThomasH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:BC848406-4C5F-46C6-BB83-CF58683E091C@xxxxxxxxxxxxxxxx
So I'm in "virtual land" because I want to enable IPSec communication between
our intersite DCs. My sandbox is all Windows 2003 server R2 SE SP2, and has
4 DCs, 2 sites, and a member server. I built an enterprise root CA on the
member server. I had to manually add the Domain Controllers group to the
member server's local CERTSVC_DCOM_ACCESS group. I rebooted all the DCs, and
went off to read some documentation on how to set up IPSec.
I came back to the CA that I built (again, on 2k3 SE R2 SP2), and just
started poking around. Somehow, in the "Issued Certificates" node, two of my
DCs had certificates!
I went to one of the DCs, and loaded the Certificates snap-in for the local
computer (the DC), and sure enough, there was a Domain Controller certificate
in the Personal\Certificates node. I went to the Application event log on the
DC, and saw an Information message from the AutoEnrollment source, saying
"Automatic certificate enrollment for local system successfully received one
Domain Controller certificate from certificate authority mytestca1 on
mytestca1.mytest.local."
However, I didn't set up any automatic requests in group policy yet!
Everything is still at its defaults (not even SCW has been run yet in my test
domain). Plus, since the root CA I set up was Standard Edition and not
Enterprise Edition, I didn't think anything could auto-enroll (just
auto-request, and I'd have to manually approve it).
Anyone seen this before? Are DCs magically allowed to auto-enroll by default?
Thanks!
.
- Follow-Ups:
- Prev by Date: Windows 2003 - Child domain cannot request certificate from root domain
- Next by Date: Re: Windows 2003 - Child domain cannot request certificate from root domain
- Previous by thread: Windows 2003 - Child domain cannot request certificate from root domain
- Next by thread: Re: Strange; setting up CA for DC IPsec- how did the DCs autoenrol
- Index(es):
Relevant Pages
|
