enabling LDAP over SSL: Enterprise CA in separate AD tree

Home | NewsGroups | Search | About

microsoft.public.windows.server.security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

Subject

Author

Date

enabling LDAP over SSL: Enterprise CA in separate AD tree

mtw

08-17-2006

Re: enabling LDAP over SSL: Enterprise CA in separ...

mtw

08-18-2006

Posted by mtw on August 21, 2006, 10:47 am

Please log in for more thread options

Brian wrote:

> Run certutil -dcinfo for each domain. This will report back to you

> - What DCs have certs

> - What certs each DC has

> - Whether the certs are valid

> Brian

Brian,

I've run certutil. In domain B I see an enterprise root certificate
for each DC issued by the CA in domain A. I don't see any output that
says "invalid" so I assume that the cert is vaild. Does this mean I'm
in the clear?

Thanks for your help,

-mtw

Posted by Brian Komar [MVP] on August 21, 2006, 6:43 pm

Please log in for more thread options

mtw@vne.net says...

> Brian wrote:

> > Run certutil -dcinfo for each domain. This will report back to you

> > - What DCs have certs

> > - What certs each DC has

> > - Whether the certs are valid

> > Brian

> Brian,

> I've run certutil. In domain B I see an enterprise root certificate

> for each DC issued by the CA in domain A. I don't see any output that

> says "invalid" so I assume that the cert is vaild. Does this mean I'm

> in the clear?

> Thanks for your help,

> -mtw

??
Not sure what you mean. You should see either a domain controller or a
domain controller authentication certificate. An enterprise root
certificate would mean that you have made every single DC an enterprise
root CA which does not make sense.
Maybe post a sample, changing the names to protect the innocent.
Brian

Posted by mtw on August 22, 2006, 10:56 am

Please log in for more thread options

> Not sure what you mean. You should see either a domain controller or a

> domain controller authentication certificate.

Ok, here is output from domain controller "hardy" in domain-b. Upon
closer inspection I see that "hardy" does have a Domain Controller
certificate template under KDC certificates, but it appears "laurel"
does not. "laurel" is the machine that should accept LDAP/SSL
connections.

c:\>certutil -dcinfo
0: LAUREL
1: HARDY

*** Testing DC[0]: LAUREL
** Enterprise Root Certificates for DC LAUREL
Certificate 0:
Serial Number: 326e2dd38ac1a9a643ccd59e1617f215
Issuer: CN=CertAuth, DC=DOMAIN-A,DC=example,DC=com
Subject: CN=CertAuth, DC=DOMAIN-A, DC=example, DC=com
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 74 61 fa f3 35 fa cf ea 95 77 9e dc 7a f6 7a 7b 0b 29
db 60

** KDC Certificates for DC LAUREL
0 KDC certs for LARUEL
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004
(-2146885628)

*** Testing DC[1]: HARDY
** Enterprise Root Certificates for DC HARDY
Certificate 0:
Serial Number: 326e2dd38ac1a9a643ccd59e1617f215
Issuer: CN=CertAuth, DC=DOMAIN-A, DC=example, DC=com
Subject: CN=CertAuth, DC=DOMAIN-A, DC=example, DC=com
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 74 61 fa f3 35 fa cf ea 95 77 9e dc 7a f6 7a 7b 0b 29
db 60

** KDC Certificates for DC HARDY
Certificate 0:
Serial Number: 20282dae000000000005
Issuer: CN=laurel, DC=DOMAIN-B, DC=example, DC=com
Subject: CN=hardy.domain-b.example.com
Certificate Template Name: DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): d7 26 49 4c ca c2 63 3f b7 87 99 1b ca c2 1e 30 da 2a
61 72

1 KDC certs for HARDY

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.

Similar Threads	Posted
Re-Configuring LDAP CDP on Enterprise Root CA	February 17, 2007, 1:31 am
Re: share/move NTFS external disk between two separate computers	September 5, 2005, 9:09 pm
Enabling RPC using SCW on Windows 2003 Server R2	June 8, 2007, 6:42 am
Re-Enabling Local Administrators Account	July 3, 2008, 2:37 am
Enabling EFS to a specific group of pc's	July 19, 2008, 12:57 pm
Enabling the Issuer Statement button on Issued Certificates	January 16, 2008, 9:24 am
windows 2k - enabling acces to network connections for non-administrative users	December 14, 2006, 8:00 am
Enabling Kerberos in Active Directory / smart card domain?	August 27, 2007, 10:56 am
Configuring SSL for LDAP	October 23, 2007, 10:01 am
Secure SSL with LDAP and AD	May 20, 2008, 11:23 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML Sitemap

XML Sitemap