|
Posted by samƦv+�"{&貇r on July 12, 2005, 10:38 am
Please log in for more thread options
Hi,
I would appreciate if some one could direct me as to the best/common way of
installing certificate authority in windows 2003 Forest with the following
configurations:
Forest name space is “abc.com” and the production domain where all the users
reside is “mqs.com”
Is it possible to do this and how?
Thank you
|
|
Posted by Brian Komar on July 13, 2005, 8:20 am
Please log in for more thread options
sam@discussions.microsoft.com says...
show/hide quoted text
> Hi,
>
> I would appreciate if some one could direct me as to the best/common way of
> installing certificate authority in windows 2003 Forest with the following
> configurations:
> Forest name space is ⤽abc.com⤝ and the production domain where all the
users
show/hide quoted text
> reside is ⤽mqs.com⤝
> Is it possible to do this and how?
>
>
> Thank you
>
>
I am not really sure what your configuration is?
- If mqs.com and abc.com are in the *same* forest, then you only need to
install a CA hierarchy in the same forest. Depending on the security
needs, it could be a 1, 2, or 3 tiered CA hierarchy. A simple email
request will not be able to determine the depth.
if mqs.com and abc.com are *separate* forests, and you want to use the
*same* CA hierarchy in both forests, then you must build a 2 or 3 tiered
CA hierarchy, with the root CA shared by the two forests.
When you build the root, ensure that you only use http URLs for the AIA
and CDP extensions for the subordinate CA certificates so that both
computers in both forests can retrieve the CRLs and root CA certificate.
For details on how to install CAs in these configurations, see the Best
practices whitepaper
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain
/operate/ws3pkibp.asp) or my book
(http://www.microsoft.com/MSPress/books/6418.asp)
Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian
|
|
Posted by samƦv+�"{&貇r on July 13, 2005, 7:36 am
Please log in for more thread options Thanks Brian for the response. May be I was not clear, I have a single forest
called abc.com with a disjointed domain for production and that holds the
users and computers called mqs.com. I have been trying to install the
Enterprise server in the root and want to issue certs to production users in
the mqs.com without any luck. the root domain is for security only. I have
read some of your book and it’s a good one, but I can not locate specific
example where it applies to my situation.
All I want to do is have a 2 tier security with enterprise CA that issues
certs to production domain in a single forest.
Regards
"Brian Komar" wrote:
show/hide quoted text
> sam@discussions.microsoft.com says...
> > Hi,
> >
> > I would appreciate if some one could direct me as to the best/common way of
> > installing certificate authority in windows 2003 Forest with the following
> > configurations:
> > Forest name space is “abc.com†and the production domain where
all the users
show/hide quoted text
> > reside is “mqs.comâ€
> > Is it possible to do this and how?
> >
> >
> > Thank you
> >
> >
> I am not really sure what your configuration is?
> - If mqs.com and abc.com are in the *same* forest, then you only need to
> install a CA hierarchy in the same forest. Depending on the security
> needs, it could be a 1, 2, or 3 tiered CA hierarchy. A simple email
> request will not be able to determine the depth.
>
> if mqs.com and abc.com are *separate* forests, and you want to use the
> *same* CA hierarchy in both forests, then you must build a 2 or 3 tiered
> CA hierarchy, with the root CA shared by the two forests.
>
> When you build the root, ensure that you only use http URLs for the AIA
> and CDP extensions for the subordinate CA certificates so that both
> computers in both forests can retrieve the CRLs and root CA certificate.
>
> For details on how to install CAs in these configurations, see the Best
> practices whitepaper
> (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain
> /operate/ws3pkibp.asp) or my book
> (http://www.microsoft.com/MSPress/books/6418.asp)
>
> Brian
>
> --
> ==
> Brian Komar
> MVP - Windows - Security
> http://www.identit.ca/blogs/brian
>
|
|
Posted by Paul Adare on July 13, 2005, 11:10 am
Please log in for more thread options microsoft.public.windows.server.security news group, =?Utf-8?B?c2Ft?=
show/hide quoted text
> Thanks Brian for the response. May be I was not clear, I have a single forest
> called abc.com with a disjointed domain for production and that holds the
> users and computers called mqs.com. I have been trying to install the
> Enterprise server in the root and want to issue certs to production users in
> the mqs.com without any luck. the root domain is for security only. I have
> read some of your book and it??s a good one, but I can not locate specific
> example where it applies to my situation.
>
> All I want to do is have a 2 tier security with enterprise CA that issues
> certs to production domain in a single forest.
>
"Want to issue some certs to users in the mqs.com domain without any
luck" isn't anywhere close to providing enough information for anyone to
be able to even begin to help you. You're going to need to provide
details on what you've tried, what hasn't worked, error messages
generated, etc, etc, etc.
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
|
|
Posted by samƦv+�"{&貇r on July 13, 2005, 8:50 am
Please log in for more thread options Paul,
This is an infrastructure question. I did not ask for help regarding any
error issues. So, please read the question before replying.
This is not a straight forward question as you like to think. Please think
before jumping to conclusions. They are disjointed meaning they do not share
the same AD name space, meaning the security is different in most aspects and
so on.
Please DO NOT reply if you do not have the necessary knowledge to do so.
Sam
"sam" wrote:
show/hide quoted text
> Hi,
>
> I would appreciate if some one could direct me as to the best/common way of
> installing certificate authority in windows 2003 Forest with the following
> configurations:
> Forest name space is “abc.com” and the production domain where all the
users
show/hide quoted text
> reside is “mqs.com”
> Is it possible to do this and how?
>
>
> Thank you
>
|
| Similar Threads | Posted | | Share certificate services between two domains | September 19, 2007, 1:28 am |
| Re: Server 2008 Domains - Security issue | February 15, 2008, 2:51 am |
| Authentication Across Domains using IIS | July 29, 2005, 6:47 am |
| Net send over different domains | November 21, 2008, 7:50 am |
| authenticating users from different domains | January 19, 2006, 6:35 pm |
| Questions about using IPsec across domains | February 25, 2008, 5:47 pm |
| Connecting Three Domains/Forests | August 5, 2008, 7:23 am |
| Accessing resources between non-trusted domains | September 12, 2006, 9:53 am |
| PKI in multi sites/domains environment | December 10, 2007, 12:29 pm |
| Problem when requesting a certificate to IIS server (certificate web enrollment) | October 4, 2005, 9:50 am |
|
XML Sitemap
>
> I would appreciate if some one could direct me as to the best/common way of
> installing certificate authority in windows 2003 Forest with the following
> configurations:
> Forest name space is ⤽abc.com⤝ and the production domain where all the