R
Robert Field
I am in the middle of putting a PKI in for our company. The design I
have implemented is as follows. In our Windows 2000 Forest we have an
empty root (Root.Domain) and we have two other trees (Domain1 and
Domain2).
I've got a Windows 2003 server hosting our ROOTCA this sits in it's
own work group.
I then created an Enterprise subordinate CA on one of the DC's sitting
in Root.Domain this installed ok. Part of the install required me to
create a request file to get a certificate from the ROOTCA. This I i
did. We then sent the request via web enrollment, approved it on the
ROOTCA and then installed it on the domain controller in the
Root.Domain.
After this I then installed a second Enterprise Subordinate this time
on a domain controller in Domain1. I Pointed this towards the
subordinate ca on the domain controller in Root.Domain. Everything
seemed to be working ok.
(I was logged on as Enterprise Admin for the two steps above)
Now I am trying to automatically deploy a computer certificate to a
certain number of our Domain1 Laptops. When I log on as an Enterprise
Admin on a DC in Domain 1 I can see the two Subordinate CA's in the
Forest. When I log on as a Domain Admin in Domain1 I cannot see any of
the CA's. I've checked all the permissions in AD Site's and Services
and ensured Domain Admins and Domain Computers have Read and Enroll
rights to them.
First of all. Are there any issues with my proposed ca design? And
secondly I am guessing the issue I have is a permissions problem but I
am running out of places to check, does anyone have any ideas.
Robert Field
Land Securities
(e-mail address removed)
have implemented is as follows. In our Windows 2000 Forest we have an
empty root (Root.Domain) and we have two other trees (Domain1 and
Domain2).
I've got a Windows 2003 server hosting our ROOTCA this sits in it's
own work group.
I then created an Enterprise subordinate CA on one of the DC's sitting
in Root.Domain this installed ok. Part of the install required me to
create a request file to get a certificate from the ROOTCA. This I i
did. We then sent the request via web enrollment, approved it on the
ROOTCA and then installed it on the domain controller in the
Root.Domain.
After this I then installed a second Enterprise Subordinate this time
on a domain controller in Domain1. I Pointed this towards the
subordinate ca on the domain controller in Root.Domain. Everything
seemed to be working ok.
(I was logged on as Enterprise Admin for the two steps above)
Now I am trying to automatically deploy a computer certificate to a
certain number of our Domain1 Laptops. When I log on as an Enterprise
Admin on a DC in Domain 1 I can see the two Subordinate CA's in the
Forest. When I log on as a Domain Admin in Domain1 I cannot see any of
the CA's. I've checked all the permissions in AD Site's and Services
and ensured Domain Admins and Domain Computers have Read and Enroll
rights to them.
First of all. Are there any issues with my proposed ca design? And
secondly I am guessing the issue I have is a permissions problem but I
am running out of places to check, does anyone have any ideas.
Robert Field
Land Securities
(e-mail address removed)