Cert Server - Changed Enterprise CA

[Scott Townsend]

We had some issues with one of our DCs and with MS Support's Advice we had
to demote it, which involved removing the Enterprise Root CA that was on it.
I installed a new Enterprise Root CA on a new DC, though not sure that AD is
happy.

I originally installed the CA to be used with our Cisco PIX and VPN
connections, though later found out that you could not use an Enterprise
Root and needed a Standalone Root. I just left the Enterprise Root there. I
didn't think it was really used for anything. Though now I think it might
have been.

The old cert server had Certs issued to each of the PCs/Servers in the
domain. How do I get the new Cert Server to issue new certs to the
PCs/Servers or have the PCs/Servers request a new Cert from the new CA?

Thanks,
Scott<-

 

[Vincent Xu [MSFT]]

Hi Scott,

Of course you need to have the PCs/Servers request a new Cert from the new
CA

Thanks.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security

======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Scott Townsend]

How do I have them do that?

Can I put it in the Login Script for the Domain?

Thank you,

 

[Vincent Xu [MSFT]]

Hi,

To manually request a Cert, you can refer to following article:

323342 How to install a certificate for use with IP Security in Windows
Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;323342

To automatically get a Cert by GP, you can refer to following steps:

Before you create an automatic certificate request, you must know the
following:
1. The type of certificate you want computers to enroll for automatically.
2. The certification authority (CA) that will issue the certificate.

Install a Certificate Template
Use the following steps to install a certificate template, and note that
these steps must be performed on an enterprise CA in the Active Directory
domain:
1. Click Start , point to Programs , point to Administrative Tools , and
then click Certificate Authority .
2. In the Certification Authority console, expand your domain name,
right-click the Policy Settings node in the left pane, point to New , and
then click Certificate to Issue .
3. In the Select Certificate Template dialog box, click the certificate
template you require. In this example, click the IPSEC certificate , and
then click OK .
4. Quit the Certification Authority console.

Configure the Automatic Certificate Request Policy
Use the following steps to configure an automatic certificate request
policy that allows automatic enrollment for domain computers: 1. Click
Start , point to Programs , point to Administrative Tools , and then click
Active Directory Users and Computers .
2. In the Active Directory Users and Computers console, right-click your
domain name, and then click Properties .
3. Click the Group Policy tab, click a domain group policy object, and then
click Edit .
4. In the Group Policy console, expand the Computer Configuration node,
expand the Windows Settings node, expand the Security Settings node, and
then expand the Public Key Policies node.
5. Right-click the Automatic Certificate Request Settings node, point to
New , and then click Automatic Certificate Request .
6. When the Automatic CertificateRequest Setup Wizard starts, click Next .
7. On the Certificate Template page, click the template you require. In
this example, click the IPSEC template, and then click Next .
8. On the Certificate Authority page, select the enterprise CA for your
domain by placing a checkmark in the check box to the left of the CA. Click
Next .
9. On the Completing the Automatic Certificate Request Setup page, click
Finish . The new certificate is automatically requested the next time the
user logs on or the next time the domain Group Policy is refreshed. The
certificate will be installed on new computers when they join the domain.

Hope this helps.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Scott Townsend]

Below on Step

8. On the Certificate Authority page, select the enterprise
CA for your domain by placing a checkmark in the check box
to the left of the CA. Click Next .

There is not an option to select a CA for me. It just skips that dialog I
guess?

We only have one RootCA in the Enterprise, so is it just using the one?

Thank you,

Scott<-

 

[Scott Townsend]

So as per the Instructions I added an IPSec Cert Template and added that to
the Default Group Policy. That worked fine. I rebooted and not my machine
has an IPSec Cert from the new CA.

Though the Computer Certificate was already in the Default GPO and I did
properties on it and went through all the pages and it didn't ask to
reassociate it with the new CA. Would I want to Delete it and readd the
Computer Template?

Thanks,
Scott<-

 

[Vincent Xu [MSFT]]

Hi Scotter,

Since there only one CA in your Network, you have the only choice to use it.

Thanks.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix issues and simple how to questions.

We also love to hear your product feedback!
Let us know what you think by posting
from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Vincent Xu [MSFT]]

Hi Scott ,

Yes, please remove the original Computer Certificate in default GPO since
it is generated by the old CA.

Thanks.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Scott Townsend]

So I removed it and readded it, and it looks like I get a new Cert.

Though why doesn't the CA show up as one of the listed Trusted CA in the
Automatic Certificate Request entry?

Thanks,
Scott<-

 

[Vincent Xu [MSFT]]

Hi Scotter,

I found one sentence in your first post:

"though later found out that you could not use an Enterprise Root and
needed a Standalone Root. I just left the Enterprise Root there. I didn't
think it was really used for
anything"

If the CA is not Enterprise Root, it will not appear in the Trusted CA

Then, Please make sure you are checking "Trusted Root CA" not checking
"Trusted Publishers"

At last, please check, it the old CA appears in the Trusted CA list?

Thanks.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Scott Townsend]

So on a PC/Server I can load up the Certificates Snap-in and look at the
local machine's Trusted Root CAs.
In there are all the normal ones and my three

Standalone (enmvpnca)
Old Enterprise Root CA (ENMInternal)
New Enterprise Root CA (EandMInternal)

So All three are listed in there.

I guess I was wondering why in the GPO editor for adding the Automatic
Certificate Request entry, there was not an option to select a CA. If I go
into the Properties and try to edit the entry that is there, I see the place
where you are supposed to select a CA, but the list is empty.

Thank you,
Scott<-=

 

[Vincent Xu [MSFT]]

Hi Scotter,

I trying to build a test enviroment to reproduce your issue.Meanwhile, I'll
try to research this. Hope I can give a explanation.

Thanks for your patience.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

 

[Vincent Xu [MSFT]]

Hi Scotter,

I'm back.

I build a test machine with CA to test your issue and I get the same result
that when adding the Automatic Certificate Request entry, there was not an
option to select a CA. Therefore, I try to find out why. The Automatic
Certificate Request Setup Wizard asks which certification authority (CA) it
should query when the wizard runs on Windows 2000. The wizard will not
prompt you when it runs on Windows XP or the Windows Server 2003 family.

more information
<http://technet2.microsoft.com/WindowsServer/en/Library/9699f873-7ddd-4805-9
953-a2d62e95e4d61033.mspx?mfr=true>

Hope this helps

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

X-Tomcat-ID: 189306739
References: <[email protected]>

<[email protected]>
<[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
<#[email protected]>

MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: (e-mail address removed) (Vincent Xu [MSFT])
Organization: Microsoft
Date: Fri, 09 Jun 2006 10:02:24 GMT
Subject: Re: Cert Server - Changed Enterprise CA
X-Tomcat-NG: microsoft.public.win2000.active_directory
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
Lines: 428
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.active_directory:114289
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Scotter,

I trying to build a test enviroment to reproduce your issue.Meanwhile, I'll
try to research this. Hope I can give a explanation.

Thanks for your patience.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

From: "Scott Townsend" <[email protected]>
References: <[email protected]>

<[email protected]>
<[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>

Subject: Re: Cert Server - Changed Enterprise CA
Date: Thu, 8 Jun 2006 07:40:40 -0700
Lines: 400
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.active_directory:114259
X-Tomcat-NG: microsoft.public.win2000.active_directory

So on a PC/Server I can load up the Certificates Snap-in and look at the
local machine's Trusted Root CAs.
In there are all the normal ones and my three

Standalone (enmvpnca)
Old Enterprise Root CA (ENMInternal)
New Enterprise Root CA (EandMInternal)

So All three are listed in there.

I guess I was wondering why in the GPO editor for adding the Automatic
Certificate Request entry, there was not an option to select a CA. If I go
into the Properties and try to edit the entry that is there, I see the place
where you are supposed to select a CA, but the list is empty.

Thank you,
Scott<-=
Hi Scotter,

I found one sentence in your first post:

"though later found out that you could not use an Enterprise Root and
needed a Standalone Root. I just left the Enterprise Root there. I didn't
think it was really used for
anything"

If the CA is not Enterprise Root, it will not appear in the Trusted CA

Then, Please make sure you are checking "Trusted Root CA" not checking
"Trusted Publishers"

At last, please check, it the old CA appears in the Trusted CA list?

Thanks.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
From: "Scott Townsend" <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
Subject: Re: Cert Server - Changed Enterprise CA
Date: Wed, 7 Jun 2006 07:17:08 -0700
Lines: 285
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:114203
X-Tomcat-NG: microsoft.public.win2000.active_directory

So I removed it and readded it, and it looks like I get a new Cert.

Though why doesn't the CA show up as one of the listed Trusted CA in the
Automatic Certificate Request entry?

Thanks,
Scott<-
Hi Scott ,

Yes, please remove the original Computer Certificate in default GPO
since
it is generated by the old CA.

Thanks.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
From: "Scott Townsend" <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Subject: Re: Cert Server - Changed Enterprise CA
Date: Tue, 6 Jun 2006 17:03:42 -0700
Lines: 198
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:114179
X-Tomcat-NG: microsoft.public.win2000.active_directory

So as per the Instructions I added an IPSec Cert Template and added
that
to
the Default Group Policy. That worked fine. I rebooted and not my
machine
has an IPSec Cert from the new CA.

Though the Computer Certificate was already in the Default GPO and I
did
properties on it and went through all the pages and it didn't ask to
reassociate it with the new CA. Would I want to Delete it and readd
the
Computer Template?

Thanks,
Scott<-
Hi,

To manually request a Cert, you can refer to following article:

323342 How to install a certificate for use with IP Security in
Windows
Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;323342

To automatically get a Cert by GP, you can refer to following steps:

Before you create an automatic certificate request, you must know
the
following:
1. The type of certificate you want computers to enroll for
automatically.
2. The certification authority (CA) that will issue the certificate.

Install a Certificate Template
Use the following steps to install a certificate template, and note
that
these steps must be performed on an enterprise CA in the Active
Directory
domain:
1. Click Start , point to Programs , point to Administrative Tools ,
and
then click Certificate Authority .
2. In the Certification Authority console, expand your domain name,
right-click the Policy Settings node in the left pane, point to New
,
and
then click Certificate to Issue .
3. In the Select Certificate Template dialog box, click the
certificate
template you require. In this example, click the IPSEC certificate ,
and
then click OK .
4. Quit the Certification Authority console.

Configure the Automatic Certificate Request Policy
Use the following steps to configure an automatic certificate
request
policy that allows automatic enrollment for domain computers: 1.
Click
Start , point to Programs , point to Administrative Tools , and then
click
Active Directory Users and Computers .
2. In the Active Directory Users and Computers console, right-click
your
domain name, and then click Properties .
3. Click the Group Policy tab, click a domain group policy object,
and
then
click Edit .
4. In the Group Policy console, expand the Computer Configuration
node,
expand the Windows Settings node, expand the Security Settings node,
and
then expand the Public Key Policies node.
5. Right-click the Automatic Certificate Request Settings node,
point
to
New , and then click Automatic Certificate Request .
6. When the Automatic CertificateRequest Setup Wizard starts, click
Next .
7. On the Certificate Template page, click the template you require.
In
this example, click the IPSEC template, and then click Next .
8. On the Certificate Authority page, select the enterprise CA for
your
domain by placing a checkmark in the check box to the left of the
CA.
Click
Next .
9. On the Completing the Automatic Certificate Request Setup page,
click
Finish . The new certificate is automatically requested the next
time
the
user logs on or the next time the domain Group Policy is refreshed.
The
certificate will be installed on new computers when they join the
domain.

Hope this helps.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================



--------------------
From: "Scott Townsend" <[email protected]>
References: <[email protected]>
<[email protected]>
Subject: Re: Cert Server - Changed Enterprise CA
Date: Thu, 1 Jun 2006 10:05:44 -0700
Lines: 79
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:114076
X-Tomcat-NG: microsoft.public.win2000.active_directory

How do I have them do that?

Can I put it in the Login Script for the Domain?

Thank you,
Hi Scott,

Of course you need to have the PCs/Servers request a new Cert
from
the
new
CA

Thanks.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security

======================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers
no
rights.
======================================================



--------------------
From: "Scott Townsend" <[email protected]>
Subject: Cert Server - Changed Enterprise CA
Date: Tue, 30 May 2006 11:57:18 -0700
Lines: 19
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:114022
X-Tomcat-NG: microsoft.public.win2000.active_directory

We had some issues with one of our DCs and with MS Support's
Advice
we
had
to demote it, which involved removing the Enterprise Root CA
that
was
on
it.
I installed a new Enterprise Root CA on a new DC, though not
sure
that
AD
is
happy.

I originally installed the CA to be used with our Cisco PIX and
VPN
connections, though later found out that you could not use an
Enterprise
Root and needed a Standalone Root. I just left the Enterprise
Root
there.
I
didn't think it was really used for anything. Though now I
think
it
might
have been.

The old cert server had Certs issued to each of the PCs/Servers
in
the
domain. How do I get the new Cert Server to issue new certs to
the
PCs/Servers or have the PCs/Servers request a new Cert

from
the

new
CA?

Thanks,
Scott<-