Sign in with
Sign up | Sign in
Your question

Windows 2003 CA in W2K Domain

Tags:
  • Windows Server 2003
  • Domain
  • Certificate
  • Windows
Last response: in Windows 2000/NT
Share
January 23, 2005 2:19:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi, I am planning a deployment of certificate services for a client
deployment. The client has a Windows 2000 domain but will migrate to 2003 at
some future (unplanned as yet) time. I am wondering at the benefits /
possibilities of deploying Windows 2003 certificate services in this
environment. Is this possible and to what degree the new features can be
utilised? I believe some features will require the forest schema to be
updated to 2003 but would appreciate any thoughts anyone has on the pros and
cons of using a 2003 CA in this environment (there will actually be 2 CAs - a
standalone root and a subordinate issuing Enterprise CA). Any thought /
experiences of pitfalls very welcome.
Thanks.

More about : windows 2003 w2k domain

Anonymous
January 23, 2005 4:31:32 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <2E1E6FF3-A419-4E14-AFCD-134FEA586EE6@microsoft.com>,
John@discussions.microsoft.com says...
> Hi, I am planning a deployment of certificate services for a client
> deployment. The client has a Windows 2000 domain but will migrate to 2003 at
> some future (unplanned as yet) time. I am wondering at the benefits /
> possibilities of deploying Windows 2003 certificate services in this
> environment. Is this possible and to what degree the new features can be
> utilised? I believe some features will require the forest schema to be
> updated to 2003 but would appreciate any thoughts anyone has on the pros and
> cons of using a 2003 CA in this environment (there will actually be 2 CAs - a
> standalone root and a subordinate issuing Enterprise CA). Any thought /
> experiences of pitfalls very welcome.
> Thanks.
>
The key is applying the Windows Server 2003 Schema. Once the schema is
updated, you have access to all benefits of the Windows Server 2003 PKI
(subject to the client OS versions).

You can choose either windows 2000 or windows 2003, standard edition for
the oofline CAs. Be sure to select Windows server 2003, enterprise
edition for the issuing CAs.

I have deployed *several* PKIs in the last two years based on this
configuration with no issues.

Brian
January 23, 2005 4:31:33 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Brian,

Thanks for the answer. Have you deployed smartcards before and if so how
did you manage the initial deployment (i.e. migration from usernames to
smartcard login)? We have over a thousand users to move across an I am
interested in what has worked (or not) for you?

Regards,
John

"Brian Komar" wrote:

> In article <2E1E6FF3-A419-4E14-AFCD-134FEA586EE6@microsoft.com>,
> John@discussions.microsoft.com says...
> > Hi, I am planning a deployment of certificate services for a client
> > deployment. The client has a Windows 2000 domain but will migrate to 2003 at
> > some future (unplanned as yet) time. I am wondering at the benefits /
> > possibilities of deploying Windows 2003 certificate services in this
> > environment. Is this possible and to what degree the new features can be
> > utilised? I believe some features will require the forest schema to be
> > updated to 2003 but would appreciate any thoughts anyone has on the pros and
> > cons of using a 2003 CA in this environment (there will actually be 2 CAs - a
> > standalone root and a subordinate issuing Enterprise CA). Any thought /
> > experiences of pitfalls very welcome.
> > Thanks.
> >
> The key is applying the Windows Server 2003 Schema. Once the schema is
> updated, you have access to all benefits of the Windows Server 2003 PKI
> (subject to the client OS versions).
>
> You can choose either windows 2000 or windows 2003, standard edition for
> the oofline CAs. Be sure to select Windows server 2003, enterprise
> edition for the issuing CAs.
>
> I have deployed *several* PKIs in the last two years based on this
> configuration with no issues.
>
> Brian
>
Related resources
Anonymous
January 24, 2005 2:11:07 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <290900DB-DCE5-4855-B4FF-65FE1D3723BE@microsoft.com>,
John@discussions.microsoft.com says...
>
> Hi Brian,
>
> Thanks for the answer. Have you deployed smartcards before and if so how
> did you manage the initial deployment (i.e. migration from usernames to
> smartcard login)? We have over a thousand users to move across an I am
> interested in what has worked (or not) for you?
>
>
John.

I have worked on a few large scale smart card deployments, and they
definitely take a lot of effort.

You have to consider:
- provisioning
- selection of a smart card vendor
- selection of a registration authority (if you do not want to use the
default win2k3 RA - recommended)
- support for applications/servers that do not support smart card auth
(rpc over http, terminal services to win2k, non-domain members)
- What do you do when someone forgets/loses their cards
- what measures do you take to identify the subject of the certificate
before issuing the certificate
- how will you handle initial issuance
- how will you handle renewal

HTH,
Brian
January 24, 2005 12:39:05 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks

"Brian Komar" wrote:

> In article <290900DB-DCE5-4855-B4FF-65FE1D3723BE@microsoft.com>,
> John@discussions.microsoft.com says...
> >
> > Hi Brian,
> >
> > Thanks for the answer. Have you deployed smartcards before and if so how
> > did you manage the initial deployment (i.e. migration from usernames to
> > smartcard login)? We have over a thousand users to move across an I am
> > interested in what has worked (or not) for you?
> >
> >
> John.
>
> I have worked on a few large scale smart card deployments, and they
> definitely take a lot of effort.
>
> You have to consider:
> - provisioning
> - selection of a smart card vendor
> - selection of a registration authority (if you do not want to use the
> default win2k3 RA - recommended)
> - support for applications/servers that do not support smart card auth
> (rpc over http, terminal services to win2k, non-domain members)
> - What do you do when someone forgets/loses their cards
> - what measures do you take to identify the subject of the certificate
> before issuing the certificate
> - how will you handle initial issuance
> - how will you handle renewal
>
> HTH,
> Brian
>
!