Sign in with
Sign up | Sign in
Your question

Enteprisesubordinate CA in parent:child domains

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
February 14, 2005 12:29:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,
I have root domain AD and child CHILD, 2000 native mode. AD is really a root
with no user and compuer objects while CHILD conatins all. I want to install
Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to issue
computer certificates.
questions I have so far:
1. what domain should I install CA into: AD or CHILD?
So far I have install CA to CHILD and when I want to edit GPO in CHILD
domain to do auto-enrolnment for computers I can see templates but no issuing
CA. Same applies when I install it to AD domain.

I have not been able to find these information anywhere but I assume CA
should be installed in the domain for which certificates are issued as in
2000 mode Cer Publishers group is Global, i.e. not crossing domain boundaries.

I would rather not implement steps as per KB 219059 and 281271.

Any help is appreciated.
Kind regards

Vladimir Jirasek
Anonymous
a b 8 Security
February 15, 2005 1:39:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

When you install it to the child domain try to request a certificate from a
domain computer from the mmc snapin for user/computer certificate. Go to the
personal certificates folder, right click/all tasks - request certificate to
see if it works. If it does you are ready to go. While there check the
trusted root CA folder to see of your CA is there. I have never tried it
that way as I install a CA in the forest root, but I would be surprised if
it does not work for you. --- Steve


"Vladimir Jirasek" <Vladimir Jirasek@discussions.microsoft.com> wrote in
message news:5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com...
> Hello,
> I have root domain AD and child CHILD, 2000 native mode. AD is really a
> root
> with no user and compuer objects while CHILD conatins all. I want to
> install
> Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to
> issue
> computer certificates.
> questions I have so far:
> 1. what domain should I install CA into: AD or CHILD?
> So far I have install CA to CHILD and when I want to edit GPO in CHILD
> domain to do auto-enrolnment for computers I can see templates but no
> issuing
> CA. Same applies when I install it to AD domain.
>
> I have not been able to find these information anywhere but I assume CA
> should be installed in the domain for which certificates are issued as in
> 2000 mode Cer Publishers group is Global, i.e. not crossing domain
> boundaries.
>
> I would rather not implement steps as per KB 219059 and 281271.
>
> Any help is appreciated.
> Kind regards
>
> Vladimir Jirasek
Anonymous
a b 8 Security
February 15, 2005 6:41:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steven,
I cannot request a certificate as it says there is no CA. However in SItes
when I view Services I can see enrolnement CA is mine. However
CertificateAuthority hive is missing in the tree.
Any thoughts?
Vladimir

"Steven L Umbach" wrote:

> When you install it to the child domain try to request a certificate from a
> domain computer from the mmc snapin for user/computer certificate. Go to the
> personal certificates folder, right click/all tasks - request certificate to
> see if it works. If it does you are ready to go. While there check the
> trusted root CA folder to see of your CA is there. I have never tried it
> that way as I install a CA in the forest root, but I would be surprised if
> it does not work for you. --- Steve
>
>
> "Vladimir Jirasek" <Vladimir Jirasek@discussions.microsoft.com> wrote in
> message news:5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com...
> > Hello,
> > I have root domain AD and child CHILD, 2000 native mode. AD is really a
> > root
> > with no user and compuer objects while CHILD conatins all. I want to
> > install
> > Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to
> > issue
> > computer certificates.
> > questions I have so far:
> > 1. what domain should I install CA into: AD or CHILD?
> > So far I have install CA to CHILD and when I want to edit GPO in CHILD
> > domain to do auto-enrolnment for computers I can see templates but no
> > issuing
> > CA. Same applies when I install it to AD domain.
> >
> > I have not been able to find these information anywhere but I assume CA
> > should be installed in the domain for which certificates are issued as in
> > 2000 mode Cer Publishers group is Global, i.e. not crossing domain
> > boundaries.
> >
> > I would rather not implement steps as per KB 219059 and 281271.
> >
> > Any help is appreciated.
> > Kind regards
> >
> > Vladimir Jirasek
>
>
>
Related resources
Anonymous
a b 8 Security
February 15, 2005 1:00:17 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Try to request a certificate from the Certificate Authority itself for
itself as a test and also try Web Enrollment. If dns is not configured
correctly in the domain, that can cause the error message you see. When you
go to AD Users and Computers does the CA computer show as a member of the
Cert Publishers group and does it show in the trusted certificate store for
any of the domain computers?? Can you open the Certificate Authority
Management Console on the CA, and when you go to AD Sites and services and
look under public key services/certification authorities does it show your
CA? Are there any errors in the application or system log on the CA? ---
Steve

http://www.microsoft.com/windows2000/techinfo/planning/...
--- Web Enrollment.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
verify that your dns is correct in the domain.

"Vladimir Jirasek" <VladimirJirasek@discussions.microsoft.com> wrote in
message news:2565EE78-4816-4A1A-AE66-50830DA4110C@microsoft.com...
> Hi Steven,
> I cannot request a certificate as it says there is no CA. However in SItes
> when I view Services I can see enrolnement CA is mine. However
> CertificateAuthority hive is missing in the tree.
> Any thoughts?
> Vladimir
>
> "Steven L Umbach" wrote:
>
>> When you install it to the child domain try to request a certificate from
>> a
>> domain computer from the mmc snapin for user/computer certificate. Go to
>> the
>> personal certificates folder, right click/all tasks - request certificate
>> to
>> see if it works. If it does you are ready to go. While there check the
>> trusted root CA folder to see of your CA is there. I have never tried it
>> that way as I install a CA in the forest root, but I would be surprised
>> if
>> it does not work for you. --- Steve
>>
>>
>> "Vladimir Jirasek" <Vladimir Jirasek@discussions.microsoft.com> wrote in
>> message news:5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com...
>> > Hello,
>> > I have root domain AD and child CHILD, 2000 native mode. AD is really a
>> > root
>> > with no user and compuer objects while CHILD conatins all. I want to
>> > install
>> > Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to
>> > issue
>> > computer certificates.
>> > questions I have so far:
>> > 1. what domain should I install CA into: AD or CHILD?
>> > So far I have install CA to CHILD and when I want to edit GPO in CHILD
>> > domain to do auto-enrolnment for computers I can see templates but no
>> > issuing
>> > CA. Same applies when I install it to AD domain.
>> >
>> > I have not been able to find these information anywhere but I assume CA
>> > should be installed in the domain for which certificates are issued as
>> > in
>> > 2000 mode Cer Publishers group is Global, i.e. not crossing domain
>> > boundaries.
>> >
>> > I would rather not implement steps as per KB 219059 and 281271.
>> >
>> > Any help is appreciated.
>> > Kind regards
>> >
>> > Vladimir Jirasek
>>
>>
>>
Anonymous
a b 8 Security
February 16, 2005 11:17:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steven,
well no luck:
1. I cannot request a certificate even from CA itself for itself - error is
that there is no CA, or permissions
2. DNS works OK
3. I did not install Web Enrolment
4. CA is listed in Intermediate CA on CA itself but not on DC.....
5. Root CA certificate (offline) is listed in the triested Root CAs on all
computers in the domain

I am really lost. Ca was installed by Enterpise admin account into the child
domain.

Vladimir

"Steven L Umbach" wrote:

> Try to request a certificate from the Certificate Authority itself for
> itself as a test and also try Web Enrollment. If dns is not configured
> correctly in the domain, that can cause the error message you see. When you
> go to AD Users and Computers does the CA computer show as a member of the
> Cert Publishers group and does it show in the trusted certificate store for
> any of the domain computers?? Can you open the Certificate Authority
> Management Console on the CA, and when you go to AD Sites and services and
> look under public key services/certification authorities does it show your
> CA? Are there any errors in the application or system log on the CA? ---
> Steve
>
> http://www.microsoft.com/windows2000/techinfo/planning/...
> --- Web Enrollment.
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
> verify that your dns is correct in the domain.
>
> "Vladimir Jirasek" <VladimirJirasek@discussions.microsoft.com> wrote in
> message news:2565EE78-4816-4A1A-AE66-50830DA4110C@microsoft.com...
> > Hi Steven,
> > I cannot request a certificate as it says there is no CA. However in SItes
> > when I view Services I can see enrolnement CA is mine. However
> > CertificateAuthority hive is missing in the tree.
> > Any thoughts?
> > Vladimir
> >
> > "Steven L Umbach" wrote:
> >
> >> When you install it to the child domain try to request a certificate from
> >> a
> >> domain computer from the mmc snapin for user/computer certificate. Go to
> >> the
> >> personal certificates folder, right click/all tasks - request certificate
> >> to
> >> see if it works. If it does you are ready to go. While there check the
> >> trusted root CA folder to see of your CA is there. I have never tried it
> >> that way as I install a CA in the forest root, but I would be surprised
> >> if
> >> it does not work for you. --- Steve
> >>
> >>
> >> "Vladimir Jirasek" <Vladimir Jirasek@discussions.microsoft.com> wrote in
> >> message news:5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com...
> >> > Hello,
> >> > I have root domain AD and child CHILD, 2000 native mode. AD is really a
> >> > root
> >> > with no user and compuer objects while CHILD conatins all. I want to
> >> > install
> >> > Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to
> >> > issue
> >> > computer certificates.
> >> > questions I have so far:
> >> > 1. what domain should I install CA into: AD or CHILD?
> >> > So far I have install CA to CHILD and when I want to edit GPO in CHILD
> >> > domain to do auto-enrolnment for computers I can see templates but no
> >> > issuing
> >> > CA. Same applies when I install it to AD domain.
> >> >
> >> > I have not been able to find these information anywhere but I assume CA
> >> > should be installed in the domain for which certificates are issued as
> >> > in
> >> > 2000 mode Cer Publishers group is Global, i.e. not crossing domain
> >> > boundaries.
> >> >
> >> > I would rather not implement steps as per KB 219059 and 281271.
> >> >
> >> > Any help is appreciated.
> >> > Kind regards
> >> >
> >> > Vladimir Jirasek
> >>
> >>
> >>
>
>
>
Anonymous
a b 8 Security
February 17, 2005 12:11:34 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Are you sure that the CA you installed is an Enterprise CA?? Run the command
certutil -cainfo on your CA to see if it reports that it is an Enterprise CA
or not. --- Steve



"Vladimir Jirasek" <VladimirJirasek@discussions.microsoft.com> wrote in
message news:8B5DA704-E4B0-4941-8C49-CB222C5DBA97@microsoft.com...
> Hi Steven,
> well no luck:
> 1. I cannot request a certificate even from CA itself for itself - error
> is
> that there is no CA, or permissions
> 2. DNS works OK
> 3. I did not install Web Enrolment
> 4. CA is listed in Intermediate CA on CA itself but not on DC.....
> 5. Root CA certificate (offline) is listed in the triested Root CAs on all
> computers in the domain
>
> I am really lost. Ca was installed by Enterpise admin account into the
> child
> domain.
>
> Vladimir
>
> "Steven L Umbach" wrote:
>
>> Try to request a certificate from the Certificate Authority itself for
>> itself as a test and also try Web Enrollment. If dns is not configured
>> correctly in the domain, that can cause the error message you see. When
>> you
>> go to AD Users and Computers does the CA computer show as a member of the
>> Cert Publishers group and does it show in the trusted certificate store
>> for
>> any of the domain computers?? Can you open the Certificate Authority
>> Management Console on the CA, and when you go to AD Sites and services
>> and
>> look under public key services/certification authorities does it show
>> your
>> CA? Are there any errors in the application or system log on the
>> A? ---
>> Steve
>>
>> http://www.microsoft.com/windows2000/techinfo/planning/...
>> --- Web Enrollment.
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-... ---
>> verify that your dns is correct in the domain.
>>
>> "Vladimir Jirasek" <VladimirJirasek@discussions.microsoft.com> wrote in
>> message news:2565EE78-4816-4A1A-AE66-50830DA4110C@microsoft.com...
>> > Hi Steven,
>> > I cannot request a certificate as it says there is no CA. However in
>> > SItes
>> > when I view Services I can see enrolnement CA is mine. However
>> > CertificateAuthority hive is missing in the tree.
>> > Any thoughts?
>> > Vladimir
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> When you install it to the child domain try to request a certificate
>> >> from
>> >> a
>> >> domain computer from the mmc snapin for user/computer certificate. Go
>> >> to
>> >> the
>> >> personal certificates folder, right click/all tasks - request
>> >> certificate
>> >> to
>> >> see if it works. If it does you are ready to go. While there check the
>> >> trusted root CA folder to see of your CA is there. I have never tried
>> >> it
>> >> that way as I install a CA in the forest root, but I would be
>> >> surprised
>> >> if
>> >> it does not work for you. --- Steve
>> >>
>> >>
>> >> "Vladimir Jirasek" <Vladimir Jirasek@discussions.microsoft.com> wrote
>> >> in
>> >> message news:5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com...
>> >> > Hello,
>> >> > I have root domain AD and child CHILD, 2000 native mode. AD is
>> >> > really a
>> >> > root
>> >> > with no user and compuer objects while CHILD conatins all. I want to
>> >> > install
>> >> > Enteprise Subordinate CA (Root is offline 3rd party CA) to be able
>> >> > to
>> >> > issue
>> >> > computer certificates.
>> >> > questions I have so far:
>> >> > 1. what domain should I install CA into: AD or CHILD?
>> >> > So far I have install CA to CHILD and when I want to edit GPO in
>> >> > CHILD
>> >> > domain to do auto-enrolnment for computers I can see templates but
>> >> > no
>> >> > issuing
>> >> > CA. Same applies when I install it to AD domain.
>> >> >
>> >> > I have not been able to find these information anywhere but I assume
>> >> > CA
>> >> > should be installed in the domain for which certificates are issued
>> >> > as
>> >> > in
>> >> > 2000 mode Cer Publishers group is Global, i.e. not crossing domain
>> >> > boundaries.
>> >> >
>> >> > I would rather not implement steps as per KB 219059 and 281271.
>> >> >
>> >> > Any help is appreciated.
>> >> > Kind regards
>> >> >
>> >> > Vladimir Jirasek
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
a b 8 Security
February 17, 2005 1:07:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com>, "=?Utf-
8?B?VmxhZGltaXIgSmlyYXNlaw==?=" <Vladimir
Jirasek@discussions.microsoft.com> says...
> Hello,
> I have root domain AD and child CHILD, 2000 native mode. AD is really a root
> with no user and compuer objects while CHILD conatins all. I want to install
> Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to issue
> computer certificates.
> questions I have so far:
> 1. what domain should I install CA into: AD or CHILD?
> So far I have install CA to CHILD and when I want to edit GPO in CHILD
> domain to do auto-enrolnment for computers I can see templates but no issuing
> CA. Same applies when I install it to AD domain.
>
It really does not matter which domain you place the enterprise CA in.
The catch is that the permissions on the comptuer certificate templates
assume a single domain forest.

You must modify the permissions for *any* certificate template to allow
users/computers from *all* domains to have the Read and Enroll
permissions (and the Autoenroll permissions for v2 templates).

Use certtmpl.msc to modify the permissions to add, for example, the
Child\domain computers group and assign the Read, Enroll, and Autoenroll
permissions.

The decision on which domain to place the comptuer account is typically
based on the number of domain admins in each domain, or the GPO
deployment and management of the specific domains.

It does not affect the issuance of certs.

Also, remember to assign the autoenrollment GPO to the Computers
Configuration in the domain where the computer accounts exist. In your
case, the GPO must be linked to both domains in the forest.

Brian

<SNIP>
Anonymous
a b 8 Security
February 17, 2005 12:35:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Brian,
well your suggestion is quite right. Looking at the templates rights I can
see that only Root Domain has got Enrol permission. However when I set that
to my child domain or even add any other object to permissions and clik OK,
next time I have a look it is gone. And this happens when logged as entrprise
admin. These is no error when clicking OK button.
So now I am really confused.
Any thoughts? Anyone?
Thanks
Vladimir

"Brian Komar (IdentIT Inc)" wrote:

> In article <5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com>, "=?Utf-
> 8?B?VmxhZGltaXIgSmlyYXNlaw==?=" <Vladimir
> Jirasek@discussions.microsoft.com> says...
> > Hello,
> > I have root domain AD and child CHILD, 2000 native mode. AD is really a root
> > with no user and compuer objects while CHILD conatins all. I want to install
> > Enteprise Subordinate CA (Root is offline 3rd party CA) to be able to issue
> > computer certificates.
> > questions I have so far:
> > 1. what domain should I install CA into: AD or CHILD?
> > So far I have install CA to CHILD and when I want to edit GPO in CHILD
> > domain to do auto-enrolnment for computers I can see templates but no issuing
> > CA. Same applies when I install it to AD domain.
> >
> It really does not matter which domain you place the enterprise CA in.
> The catch is that the permissions on the comptuer certificate templates
> assume a single domain forest.
>
> You must modify the permissions for *any* certificate template to allow
> users/computers from *all* domains to have the Read and Enroll
> permissions (and the Autoenroll permissions for v2 templates).
>
> Use certtmpl.msc to modify the permissions to add, for example, the
> Child\domain computers group and assign the Read, Enroll, and Autoenroll
> permissions.
>
> The decision on which domain to place the comptuer account is typically
> based on the number of domain admins in each domain, or the GPO
> deployment and management of the specific domains.
>
> It does not affect the issuance of certs.
>
> Also, remember to assign the autoenrollment GPO to the Computers
> Configuration in the domain where the computer accounts exist. In your
> case, the GPO must be linked to both domains in the forest.
>
> Brian
>
> <SNIP>
>
Anonymous
a b 8 Security
February 18, 2005 12:14:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <FC52B0BB-EE2B-41A6-89F3-FFFEE5B810D3@microsoft.com>,
VladimirJirasek@discussions.microsoft.com says...
> Hi Brian,
> well your suggestion is quite right. Looking at the templates rights I can
> see that only Root Domain has got Enrol permission. However when I set that
> to my child domain or even add any other object to permissions and clik OK,
> next time I have a look it is gone. And this happens when logged as entrprise
> admin. These is no error when clicking OK button.
> So now I am really confused.
> Any thoughts? Anyone?
> Thanks
> Vladimir
<snip>
It may just be a case of replication. When you are making the change,
you are modifying the DACL on an object in the COnfiguration Naming
Context. Typically, replication must complete for you to see the
modifications. Sometimes, waiting is good, or forcing replication with
tools such as repadmin.

Brian
Anonymous
a b 8 Security
February 22, 2005 3:57:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

hello,
well the problem seems to be more complex. It appears that previous admin
installed Enteprise root ca in Root domain 2 years ago. Now I installed
Subordinate enterprise CA in child domain (cert issued by 3rd part CA) (where
all resources are) and even when I set correct permissions on templates I can
only see previous CA. Also in Sites and Services the only visible CA in hive
Certificate authorities is the old one.

Is my assumption correct that my subordinate should be listedt in Sites and
Servuces/Publick key .../Certificate authorities?
I wonder if reinstall will work or if there is a limit on number of
enterprise CA in forrest....
Thanks
Vladimir

"Brian Komar (IdentIT Inc)" wrote:

> In article <FC52B0BB-EE2B-41A6-89F3-FFFEE5B810D3@microsoft.com>,
> VladimirJirasek@discussions.microsoft.com says...
> > Hi Brian,
> > well your suggestion is quite right. Looking at the templates rights I can
> > see that only Root Domain has got Enrol permission. However when I set that
> > to my child domain or even add any other object to permissions and clik OK,
> > next time I have a look it is gone. And this happens when logged as entrprise
> > admin. These is no error when clicking OK button.
> > So now I am really confused.
> > Any thoughts? Anyone?
> > Thanks
> > Vladimir
> <snip>
> It may just be a case of replication. When you are making the change,
> you are modifying the DACL on an object in the COnfiguration Naming
> Context. Typically, replication must complete for you to see the
> modifications. Sometimes, waiting is good, or forcing replication with
> tools such as repadmin.
>
> Brian
>
!