|
Posted by Thomas H on January 13, 2008, 4:04 pm
Please log in for more thread options Hi Brian, thanks very much for the reply!
I think I understand now: Are you saying that the docs I read that said
"Enterprise Edition is required for auto-enrolling" was talking about v2
templates, and not v1's? (I was expecting v1, but I plan to ask for an
upgrade to EE once this has been working for a while)
Which must mean that Standard Edition will auto-enroll v1 templates as long
as they're policy-based requests?
Oh and one more question- So even though I didn't set up an Auto Cert
Request inside of Group Policy, the DCs will still ask for- and receive- a
certificate automatically? I even ran an rsop.msc on the DC, and the only
thing it found was ComputerConfig\Windows\Security\Public Key
Policies\Autoenrollment Settings, Enroll certs automatically=Enabled. I
thought I also had to set up Public Key Policies\Automatic Certificate
Request? Or does an "enroll automatically" elimate the need for an auto cert
request?
Funny, I thought IPSec was going to be the hard part... (laughs)
-T
"Brian Komar" wrote:
> A couple of things.
> The Domain Controller certificate is a version 1 certificate template, and
> will deploy automatically using Automatic Certificate Request Settings. DCs
> are hard coded to request this certificate (if available).
> - You are a bit mistaken on the functionality of the standard edition SKU
> and enterprise CAs. You will be unable to deploy *any* certificates based on
> version 2 certificate templates. So there would be no auto-requests as you
> describe waiting for approval.
> Brian
>
> > So I'm in "virtual land" because I want to enable IPSec communication
> > between
> > our intersite DCs. My sandbox is all Windows 2003 server R2 SE SP2, and
> > has
> > 4 DCs, 2 sites, and a member server. I built an enterprise root CA on the
> > member server. I had to manually add the Domain Controllers group to the
> > member server's local CERTSVC_DCOM_ACCESS group. I rebooted all the DCs,
> > and
> > went off to read some documentation on how to set up IPSec.
> >
> > I came back to the CA that I built (again, on 2k3 SE R2 SP2), and just
> > started poking around. Somehow, in the "Issued Certificates" node, two of
> > my
> > DCs had certificates!
> >
> > I went to one of the DCs, and loaded the Certificates snap-in for the
> > local
> > computer (the DC), and sure enough, there was a Domain Controller
> > certificate
> > in the Personal\Certificates node. I went to the Application event log on
> > the
> > DC, and saw an Information message from the AutoEnrollment source, saying
> > "Automatic certificate enrollment for local system successfully received
> > one
> > Domain Controller certificate from certificate authority mytestca1 on
> > mytestca1.mytest.local."
> >
> > However, I didn't set up any automatic requests in group policy yet!
> > Everything is still at its defaults (not even SCW has been run yet in my
> > test
> > domain). Plus, since the root CA I set up was Standard Edition and not
> > Enterprise Edition, I didn't think anything could auto-enroll (just
> > auto-request, and I'd have to manually approve it).
> >
> > Anyone seen this before? Are DCs magically allowed to auto-enroll by
> > default?
> >
> > Thanks!
> >
>
| 
XML Sitemap