cannot create new certificate template to issue

Archived from groups: microsoft.public.win2000.security (More info?)

are you running windows server 2003 enterprise edition on the CA?

http://www.microsoft.com/technet/p [...] kienh.mspx



Windows Server 2003 certificate templates whitepaper:
http://www.microsoft.com/technet/p [...] 3crtm.mspx


--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.

Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/p [...] oenro.mspx
Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/p [...] pkibp.mspx
Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/s [...] htcrl.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/p [...] nroll.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/p [...] nroll.mspx

"bill" <bill@discussions.microsoft.com> wrote in message
news:18285235-F0DA-41D5-ADEE-81E8E377F4C7@microsoft.com...
> i'm running server 2003, my own root CA, logged on as domain admin. in the
> certificate templates management MMC i create a duplicate certificate, on
> the
> general tab i checked to publish in AD,on the request handling tab i
> checked
> archive private key, allow key to be exported, and enroll without user
> input,
> on subject name tab- build from AD, use common name, and include e-mail
> address, on security tab i allowed authenticated users read,enroll, and
> autoenroll. back in template manager cert shows up as autoenroll is
> allowed.
> but when i go back to the CA MMC and go to new certificate template to
> issue,
> the new template doesn't show up. the CA computer did get a new cert to
> allow
> for private key recovery. i have waited a day for AD to replicate even
> though
> this is a single site domain.

Archived from groups: microsoft.public.win2000.security (More info?)

scratch that, i just realized that the CA computer is 2003 standard. i'm in
the process of re configuring the entire domain anyway ( not much faith in
the whole domain rename with exchange process) so will i be ok using this
2003 standard edition as an offline standalone root and the subordinate CA on
enterprise edition?

"David Cross [MS]" wrote:

> are you running windows server 2003 enterprise edition on the CA?
>
> http://www.microsoft.com/technet/p [...] kienh.mspx
>
>
>
> Windows Server 2003 certificate templates whitepaper:
> http://www.microsoft.com/technet/p [...] 3crtm.mspx
>
>
> --
> David B. Cross [MS]
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> Top Whitepapers:
>
> Auto-enrollment whitepaper:
> http://www.microsoft.com/technet/p [...] oenro.mspx
> Best Practices for implementing Windows Server 2003 PKI:
> http://www.microsoft.com/technet/p [...] pkibp.mspx
> Troubleshooting Certificate Status and Revocation whitepaper:
> http://www.microsoft.com/technet/s [...] htcrl.mspx
> Windows Server 2003 web enrollment and troubleshooting guide:
> http://www.microsoft.com/technet/p [...] nroll.mspx
> Windows Server 2003 web enrollment and troubleshooting guide:
> http://www.microsoft.com/technet/p [...] nroll.mspx
>
> "bill" <bill@discussions.microsoft.com> wrote in message
> news:18285235-F0DA-41D5-ADEE-81E8E377F4C7@microsoft.com...
> > i'm running server 2003, my own root CA, logged on as domain admin. in the
> > certificate templates management MMC i create a duplicate certificate, on
> > the
> > general tab i checked to publish in AD,on the request handling tab i
> > checked
> > archive private key, allow key to be exported, and enroll without user
> > input,
> > on subject name tab- build from AD, use common name, and include e-mail
> > address, on security tab i allowed authenticated users read,enroll, and
> > autoenroll. back in template manager cert shows up as autoenroll is
> > allowed.
> > but when i go back to the CA MMC and go to new certificate template to
> > issue,
> > the new template doesn't show up. the CA computer did get a new cert to
> > allow
> > for private key recovery. i have waited a day for AD to replicate even
> > though
> > this is a single site domain.
>
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

thank you to you and dave, i'm one exam from my mcse on 2003 and i had never
heard of the restriction on version 2 templates. i tried a domain rename in a
test lab and i was disheartened by the results, so i now have 2 domains and i
will be migrating my users instead of renaming the old domain. then i will
scrap the old CA and make it the standalone root, then configure one of my
DC's to be the issuing CA. I'm currently an ASE certified master auto
technician and i think i will be the only ASE certified and MCSE in the
country??

"Laura A. Robinson" wrote:

> circa Sun, 5 Dec 2004 17:05:04 -0800, in
> microsoft.public.win2000.security, =?Utf-8?B?YmlsbA==?=
> (bill@discussions.microsoft.com) said,
> >
> > scratch that, i just realized that the CA computer is 2003 standard. i'm in
> > the process of re configuring the entire domain anyway ( not much faith in
> > the whole domain rename with exchange process)
>
> Unless something has changed since I last checked, you can't have
> enterprise CAs installed on DCs while you're doing a domain rename.
> Will this affect your strategy?
>
> > so will i be ok using this
> > 2003 standard edition as an offline standalone root and the subordinate CA on
> > enterprise edition?
>
> Yes, that will work.
>
> Laura
> >
>
> --
> Experience is the name every one gives to their mistakes.
> -Oscar Wilde
>