Re: Strange; setting up CA for DC IPsec- how did the DCs autoenrol
- From: Thomas H <ThomasH@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 13 Jan 2008 13:04:01 -0800
Hi Brian, thanks very much for the reply!
I think I understand now: Are you saying that the docs I read that said
"Enterprise Edition is required for auto-enrolling" was talking about v2
templates, and not v1's? (I was expecting v1, but I plan to ask for an
upgrade to EE once this has been working for a while)
Which must mean that Standard Edition will auto-enroll v1 templates as long
as they're policy-based requests?
Oh and one more question- So even though I didn't set up an Auto Cert
Request inside of Group Policy, the DCs will still ask for- and receive- a
certificate automatically? I even ran an rsop.msc on the DC, and the only
thing it found was ComputerConfig\Windows\Security\Public Key
Policies\Autoenrollment Settings, Enroll certs automatically=Enabled. I
thought I also had to set up Public Key Policies\Automatic Certificate
Request? Or does an "enroll automatically" elimate the need for an auto cert
request?
Funny, I thought IPSec was going to be the hard part... (laughs)
-T
"Brian Komar" wrote:
A couple of things..
The Domain Controller certificate is a version 1 certificate template, and
will deploy automatically using Automatic Certificate Request Settings. DCs
are hard coded to request this certificate (if available).
- You are a bit mistaken on the functionality of the standard edition SKU
and enterprise CAs. You will be unable to deploy *any* certificates based on
version 2 certificate templates. So there would be no auto-requests as you
describe waiting for approval.
Brian
"Thomas H" <ThomasH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BC848406-4C5F-46C6-BB83-CF58683E091C@xxxxxxxxxxxxxxxx
So I'm in "virtual land" because I want to enable IPSec communication
between
our intersite DCs. My sandbox is all Windows 2003 server R2 SE SP2, and
has
4 DCs, 2 sites, and a member server. I built an enterprise root CA on the
member server. I had to manually add the Domain Controllers group to the
member server's local CERTSVC_DCOM_ACCESS group. I rebooted all the DCs,
and
went off to read some documentation on how to set up IPSec.
I came back to the CA that I built (again, on 2k3 SE R2 SP2), and just
started poking around. Somehow, in the "Issued Certificates" node, two of
my
DCs had certificates!
I went to one of the DCs, and loaded the Certificates snap-in for the
local
computer (the DC), and sure enough, there was a Domain Controller
certificate
in the Personal\Certificates node. I went to the Application event log on
the
DC, and saw an Information message from the AutoEnrollment source, saying
"Automatic certificate enrollment for local system successfully received
one
Domain Controller certificate from certificate authority mytestca1 on
mytestca1.mytest.local."
However, I didn't set up any automatic requests in group policy yet!
Everything is still at its defaults (not even SCW has been run yet in my
test
domain). Plus, since the root CA I set up was Standard Edition and not
Enterprise Edition, I didn't think anything could auto-enroll (just
auto-request, and I'd have to manually approve it).
Anyone seen this before? Are DCs magically allowed to auto-enroll by
default?
Thanks!
- References:
- Re: Strange; setting up CA for DC IPsec- how did the DCs autoenroll?
- From: Brian Komar
- Re: Strange; setting up CA for DC IPsec- how did the DCs autoenroll?
- Prev by Date: Re: logon unsuccessful!!
- Next by Date: Window Server 2003 R2 x64 Std Apache/PHP/Tomcat Security
- Previous by thread: Re: Strange; setting up CA for DC IPsec- how did the DCs autoenroll?
- Next by thread: Re: hidden firewall
- Index(es):
Relevant Pages
|
