Enteprisesubordinate CA in parent:child domains

[Guest]

Hello,
I have root domain AD and child CHILD, 2000 native mode. AD is really a root
with no user and compuer objects while CHILD conatins all. I want to install
Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to issue
computer certificates.
questions I have so far:
1. what domain should I install CA into: AD or CHILD?
So far I have install CA to CHILD and when I want to edit GPO in CHILD
domain to do auto-enrolnment for computers I can see templates but no issuing
CA. Same applies when I install it to AD domain.

I have not been able to find these information anywhere but I assume CA
should be installed in the domain for which certificates are issued as in
2000 mode Cer Publishers group is Global, i.e. not crossing domain boundaries.

I would rather not implement steps as per KB 219059 and 281271.

Any help is appreciated.
Kind regards

Vladimir Jirasek

 

[Steven L Umbach]

When you install it to the child domain try to request a certificate from a
domain computer from the mmc snapin for user/computer certificate. Go to the
personal certificates folder, right click/all tasks - request certificate to
see if it works. If it does you are ready to go. While there check the
trusted root CA folder to see of your CA is there. I have never tried it
that way as I install a CA in the forest root, but I would be surprised if
it does not work for you. --- Steve

 

[Guest]

Hi Steven,
I cannot request a certificate as it says there is no CA. However in SItes
when I view Services I can see enrolnement CA is mine. However
CertificateAuthority hive is missing in the tree.
Any thoughts?
Vladimir

 

[Steven L Umbach]

Try to request a certificate from the Certificate Authority itself for
itself as a test and also try Web Enrollment. If dns is not configured
correctly in the domain, that can cause the error message you see. When you
go to AD Users and Computers does the CA computer show as a member of the
Cert Publishers group and does it show in the trusted certificate store for
any of the domain computers?? Can you open the Certificate Authority
Management Console on the CA, and when you go to AD Sites and services and
look under public key services/certification authorities does it show your
CA? Are there any errors in the application or system log on the CA? ---
Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp
--- Web Enrollment.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 ---
verify that your dns is correct in the domain.

 

[Guest]

Hi Steven,
well no luck:
1. I cannot request a certificate even from CA itself for itself - error is
that there is no CA, or permissions
2. DNS works OK
3. I did not install Web Enrolment
4. CA is listed in Intermediate CA on CA itself but not on DC.....
5. Root CA certificate (offline) is listed in the triested Root CAs on all
computers in the domain

I am really lost. Ca was installed by Enterpise admin account into the child
domain.

Vladimir

 

[Steven L Umbach]

Are you sure that the CA you installed is an Enterprise CA?? Run the command
certutil -cainfo on your CA to see if it reports that it is an Enterprise CA
or not. --- Steve

 

[Brian Komar (IdentIT Inc)]

8?B?VmxhZGltaXIgSmlyYXNlaw==?=" <Vladimir
(e-mail address removed)> says...

Hello,
I have root domain AD and child CHILD, 2000 native mode. AD is really a root
with no user and compuer objects while CHILD conatins all. I want to install
Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to issue
computer certificates.
questions I have so far:
1. what domain should I install CA into: AD or CHILD?
So far I have install CA to CHILD and when I want to edit GPO in CHILD
domain to do auto-enrolnment for computers I can see templates but no issuing
CA. Same applies when I install it to AD domain.

It really does not matter which domain you place the enterprise CA in.
The catch is that the permissions on the comptuer certificate templates
assume a single domain forest.

You must modify the permissions for *any* certificate template to allow
users/computers from *all* domains to have the Read and Enroll
permissions (and the Autoenroll permissions for v2 templates).

Use certtmpl.msc to modify the permissions to add, for example, the
Child\domain computers group and assign the Read, Enroll, and Autoenroll
permissions.

The decision on which domain to place the comptuer account is typically
based on the number of domain admins in each domain, or the GPO
deployment and management of the specific domains.

It does not affect the issuance of certs.

Also, remember to assign the autoenrollment GPO to the Computers
Configuration in the domain where the computer accounts exist. In your
case, the GPO must be linked to both domains in the forest.

Brian

<SNIP>

 

[Guest]

Hi Brian,
well your suggestion is quite right. Looking at the templates rights I can
see that only Root Domain has got Enrol permission. However when I set that
to my child domain or even add any other object to permissions and clik OK,
next time I have a look it is gone. And this happens when logged as entrprise
admin. These is no error when clicking OK button.
So now I am really confused.
Any thoughts? Anyone?
Thanks
Vladimir

 

[Brian Komar (IdentIT Inc)]

Hi Brian,
well your suggestion is quite right. Looking at the templates rights I can
see that only Root Domain has got Enrol permission. However when I set that
to my child domain or even add any other object to permissions and clik OK,
next time I have a look it is gone. And this happens when logged as entrprise
admin. These is no error when clicking OK button.
So now I am really confused.
Any thoughts? Anyone?
Thanks
Vladimir

<snip>
It may just be a case of replication. When you are making the change,
you are modifying the DACL on an object in the COnfiguration Naming
Context. Typically, replication must complete for you to see the
modifications. Sometimes, waiting is good, or forcing replication with
tools such as repadmin.

Brian

 

[Guest]

hello,
well the problem seems to be more complex. It appears that previous admin
installed Enteprise root ca in Root domain 2 years ago. Now I installed
Subordinate enterprise CA in child domain (cert issued by 3rd part CA) (where
all resources are) and even when I set correct permissions on templates I can
only see previous CA. Also in Sites and Services the only visible CA in hive
Certificate authorities is the old one.

Is my assumption correct that my subordinate should be listedt in Sites and
Servuces/Publick key .../Certificate authorities?
I wonder if reinstall will work or if there is a limit on number of
enterprise CA in forrest....
Thanks
Vladimir