Click here to get back home

PKI Certificate Server Install in AD Empty Root Domain
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
PKI Certificate Server Install in AD Empty Root Domain FastEddie 07-21-2005
Posted by FastEddie on July 21, 2005, 10:42 am
Please log in for more thread options
 Platform: Windows 2003 AD with an empty root

We are installing an Enterprise CA in our Active Directory 2003 Forest. All
our resources, users, and computers and effective GP settings are in a
domain under the empty forest root domain.

My questions:

If I install the CA in the forest root, will the certificates and auto
issuing of certificates work correctly in the other domains within the
forest or should I install the Enterprise CA in the domain that houses all
the resources, machines and users?

Also, can I use this CA to issue certs in another Forest?

thanks,

Fast Eddie




Posted by Brian Komar on July 21, 2005, 11:59 am
Please log in for more thread options
 Answers inline:



fasteddie@therockwells.net.no.spam says...
> Platform: Windows 2003 AD with an empty root
>
> We are installing an Enterprise CA in our Active Directory 2003 Forest. All
> our resources, users, and computers and effective GP settings are in a
> domain under the empty forest root domain.
>
> My questions:
>
> If I install the CA in the forest root, will the certificates and auto
> issuing of certificates work correctly in the other domains within the
> forest or should I install the Enterprise CA in the domain that houses all
> the resources, machines and users?

It really does not matter which domain you install the certificates in.
Whichever domain you choose, you will have to do some additional work to
issue certificates to other domains in the forest.
1) Certificate templates. The default permissions will only include
groups in the forest root domain. You must modify permissions for other
domains to assign Read and Enroll perms (possibily autoenroll).
2) Publication to AD to the userCertificate attribute. An enterprise CA
by default can only publish certificates to user objects in the same
domain. Follow the instructions in Q281271 "Windows 2000 CA Config. to
Publish Certs in AD of Trusted Domain" to assign the correct perms to
the Cert Publishers group to the other domains in the forest.

>
> Also, can I use this CA to issue certs in another Forest?

No. A CA can only issue certs to users in the same forest. You can in
some cases, if the subject is provided in the request, but what you may
want to look at is a root that is not specific to either forest, and
then subordinate CAs in each forest.
>
> thanks,
>
> Fast Eddie
>
>
>

--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian


Posted by kerberos_boy on July 21, 2005, 11:41 am
Please log in for more thread options
>From Microsoft Technet document "Windows Server 2003 PKI Operations
Guide":

"Best Practice:
The recommended best practice is to install CAs as a member of the root
domain in the forest to provide centralized administration and control
of the PKI services. For additional best practices, see the Windows
Server 2003 Resource Kit."

Please see this link:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx

HTH,

Kerberos_Boy

Brian Komar wrote:
> Answers inline:
>
>
>
> fasteddie@therockwells.net.no.spam says...
> > Platform: Windows 2003 AD with an empty root
> >
> > We are installing an Enterprise CA in our Active Directory 2003 Forest. All
> > our resources, users, and computers and effective GP settings are in a
> > domain under the empty forest root domain.
> >
> > My questions:
> >
> > If I install the CA in the forest root, will the certificates and auto
> > issuing of certificates work correctly in the other domains within the
> > forest or should I install the Enterprise CA in the domain that houses all
> > the resources, machines and users?
>
> It really does not matter which domain you install the certificates in.
> Whichever domain you choose, you will have to do some additional work to
> issue certificates to other domains in the forest.
> 1) Certificate templates. The default permissions will only include
> groups in the forest root domain. You must modify permissions for other
> domains to assign Read and Enroll perms (possibily autoenroll).
> 2) Publication to AD to the userCertificate attribute. An enterprise CA
> by default can only publish certificates to user objects in the same
> domain. Follow the instructions in Q281271 "Windows 2000 CA Config. to
> Publish Certs in AD of Trusted Domain" to assign the correct perms to
> the Cert Publishers group to the other domains in the forest.
>
> >
> > Also, can I use this CA to issue certs in another Forest?
>
> No. A CA can only issue certs to users in the same forest. You can in
> some cases, if the subject is provided in the request, but what you may
> want to look at is a root that is not specific to either forest, and
> then subordinate CAs in each forest.
> >
> > thanks,
> >
> > Fast Eddie
> >
> >
> >
>
> --
> ==
> Brian Komar
> MVP - Windows - Security
> http://www.identit.ca/blogs/brian



Posted by FastEddie on July 21, 2005, 2:43 pm
Please log in for more thread options
Thanks. Just what I was looking for.

-Fasteddie

> >From Microsoft Technet document "Windows Server 2003 PKI Operations
> Guide":
>
> "Best Practice:
> The recommended best practice is to install CAs as a member of the root
> domain in the forest to provide centralized administration and control
> of the PKI services. For additional best practices, see the Windows
> Server 2003 Resource Kit."
>
> Please see this link:
>
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>
> HTH,
>
> Kerberos_Boy
>
> Brian Komar wrote:
>> Answers inline:
>>
>>
>>
>> fasteddie@therockwells.net.no.spam says...
>> > Platform: Windows 2003 AD with an empty root
>> >
>> > We are installing an Enterprise CA in our Active Directory 2003 Forest.
>> > All
>> > our resources, users, and computers and effective GP settings are in a
>> > domain under the empty forest root domain.
>> >
>> > My questions:
>> >
>> > If I install the CA in the forest root, will the certificates and auto
>> > issuing of certificates work correctly in the other domains within the
>> > forest or should I install the Enterprise CA in the domain that houses
>> > all
>> > the resources, machines and users?
>>
>> It really does not matter which domain you install the certificates in.
>> Whichever domain you choose, you will have to do some additional work to
>> issue certificates to other domains in the forest.
>> 1) Certificate templates. The default permissions will only include
>> groups in the forest root domain. You must modify permissions for other
>> domains to assign Read and Enroll perms (possibily autoenroll).
>> 2) Publication to AD to the userCertificate attribute. An enterprise CA
>> by default can only publish certificates to user objects in the same
>> domain. Follow the instructions in Q281271 "Windows 2000 CA Config. to
>> Publish Certs in AD of Trusted Domain" to assign the correct perms to
>> the Cert Publishers group to the other domains in the forest.
>>
>> >
>> > Also, can I use this CA to issue certs in another Forest?
>>
>> No. A CA can only issue certs to users in the same forest. You can in
>> some cases, if the subject is provided in the request, but what you may
>> want to look at is a root that is not specific to either forest, and
>> then subordinate CAs in each forest.
>> >
>> > thanks,
>> >
>> > Fast Eddie
>> >
>> >
>> >
>>
>> --
>> ==
>> Brian Komar
>> MVP - Windows - Security
>> http://www.identit.ca/blogs/brian
>




Posted by Brian Komar on July 22, 2005, 7:02 am
Please log in for more thread options
kerberos_boy@yahoo.com says...
> >From Microsoft Technet document "Windows Server 2003 PKI Operations
> Guide":
>
> "Best Practice:
> The recommended best practice is to install CAs as a member of the root
> domain in the forest to provide centralized administration and control
> of the PKI services. For additional best practices, see the Windows
> Server 2003 Resource Kit."
>
> Please see this link:
>
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>
> HTH,
>
> Kerberos_Boy
>
<snip>
Although in an MS paper, this I have found is an over-simplification.
Other factors can lead a company to placing the enterprise CA in a
domain other than the forest root domain.
- GPO deployment - If the GPO design is not well developed in the root
domain (the empty root model), then it may be better from a security
perspective to place the CA computer account in a non-root domain

- Security policies for computer account placement in the root domain.
Some organizations have policies that only root domain DCs will exist in
the forest root domain. All application servers, including CAs must be
in a child domain.

To be honest, it really does not matter. Both solutions (forest root or
not) can be secured.

Brian

--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian


Similar ThreadsPosted
Windows 2003 - Child domain cannot request certificate from root domain January 11, 2008, 11:41 am
Install Certificate on Windows Vista June 16, 2008, 11:27 pm
Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ? March 26, 2008, 6:20 am
Install Microsoft PKI for Windows Server 2003 January 22, 2007, 4:02 pm
Cannot install DPM agent on Windows server 2003 (Exchange and IIS) June 26, 2007, 12:23 pm
Empty Event 529 August 4, 2005, 1:01 pm
Root Certificate Authority October 22, 2006, 6:35 am
How to re-issue root CA certificate February 5, 2007, 8:50 pm
CDP in root certificate when renewed July 25, 2008, 5:34 am
Follow-up to Empty 529 Events in Security Log July 27, 2006, 12:02 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap