|
Posted by Brian Komar on July 22, 2005, 6:59 am
Please log in for more thread options
fasteddie@therockwells.net.no.spam says...
> Questions inline:
>
>
>
> > Answers inline:
> >
> >
> >
> > fasteddie@therockwells.net.no.spam says...
> >> Platform: Windows 2003 AD with an empty root
> >>
> >> We are installing an Enterprise CA in our Active Directory 2003 Forest.
> >> All
> >> our resources, users, and computers and effective GP settings are in a
> >> domain under the empty forest root domain.
> >>
> >> My questions:
> >>
> >> If I install the CA in the forest root, will the certificates and auto
> >> issuing of certificates work correctly in the other domains within the
> >> forest or should I install the Enterprise CA in the domain that houses
> >> all
> >> the resources, machines and users?
> >
> > It really does not matter which domain you install the certificates in.
> > Whichever domain you choose, you will have to do some additional work to
> > issue certificates to other domains in the forest.
> > 1) Certificate templates. The default permissions will only include
> > groups in the forest root domain. You must modify permissions for other
> > domains to assign Read and Enroll perms (possibily autoenroll).
> > 2) Publication to AD to the userCertificate attribute. An enterprise CA
> > by default can only publish certificates to user objects in the same
> > domain. Follow the instructions in Q281271 "Windows 2000 CA Config. to
> > Publish Certs in AD of Trusted Domain" to assign the correct perms to
> > the Cert Publishers group to the other domains in the forest.
> >
> >>
> >> Also, can I use this CA to issue certs in another Forest?
> >
> > No. A CA can only issue certs to users in the same forest. You can in
> > some cases, if the subject is provided in the request, but what you may
> > want to look at is a root that is not specific to either forest, and
> > then subordinate CAs in each forest.
>
> So you are saying I could have a Ent CA in my forest root (forest A, Domain
> A) and a subordinate in my member domain (Forest A, Domain B) to auto issue
> certs for machines and accounts?
Not quite.
A root CA in this scenario should be an offline CA (not a member of any
forest and running as a standalone CA). Then place a subordinate
enterprise CA in each forest to allow issuance of certificates to users,
computers, and devices in the two forests.
See the best practices white paper at:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/
operate/ws3pkibp.asp
Brian
--
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian
| 
XML Sitemap