Re: Cert Server - Changed Enterprise CA
- From: "Scott Townsend" <scooter@xxxxxxxxxxxxxxxx>
- Date: Wed, 7 Jun 2006 07:17:08 -0700
So I removed it and readded it, and it looks like I get a new Cert.
Though why doesn't the CA show up as one of the listed Trusted CA in the
Automatic Certificate Request entry?
Thanks,
Scott<-
"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:hlXZ69hiGHA.4948@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Scott ,
Yes, please remove the original Computer Certificate in default GPO since
it is generated by the old CA.
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
<WOcuY4FhGHA.5608@xxxxxxxxxxxxxxxxxxxxx>From: "Scott Townsend" <scooter@xxxxxxxxxxxxxxxx>
References: <u0qmgrBhGHA.1520@xxxxxxxxxxxxxxxxxxxx>
<eHN8f2ZhGHA.3572@xxxxxxxxxxxxxxxxxxxx>
<pgQjN9ghGHA.2260@xxxxxxxxxxxxxxxxxxxxx>
microsoft.public.win2000.active_directory:114179Subject: Re: Cert Server - Changed Enterprise CA
Date: Tue, 6 Jun 2006 17:03:42 -0700
Lines: 198
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <#w9pZXciGHA.4276@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
toX-Tomcat-NG: microsoft.public.win2000.active_directory
So as per the Instructions I added an IPSec Cert Template and added that
machinethe Default Group Policy. That worked fine. I rebooted and not my
automatically.has an IPSec Cert from the new CA.
Though the Computer Certificate was already in the Default GPO and I did
properties on it and went through all the pages and it didn't ask to
reassociate it with the new CA. Would I want to Delete it and readd the
Computer Template?
Thanks,
Scott<-
"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:pgQjN9ghGHA.2260@xxxxxxxxxxxxxxxxxxxxxxxx
Hi,
To manually request a Cert, you can refer to following article:
323342 How to install a certificate for use with IP Security in Windows
Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;323342
To automatically get a Cert by GP, you can refer to following steps:
Before you create an automatic certificate request, you must know the
following:
1. The type of certificate you want computers to enroll for
Directory2. The certification authority (CA) that will issue the certificate.
Install a Certificate Template
Use the following steps to install a certificate template, and note
that
these steps must be performed on an enterprise CA in the Active
anddomain:
1. Click Start , point to Programs , point to Administrative Tools ,
and
then click Certificate Authority .
2. In the Certification Authority console, expand your domain name,
right-click the Policy Settings node in the left pane, point to New ,
clickthen click Certificate to Issue .
3. In the Select Certificate Template dialog box, click the certificate
template you require. In this example, click the IPSEC certificate ,
and
then click OK .
4. Quit the Certification Authority console.
Configure the Automatic Certificate Request Policy
Use the following steps to configure an automatic certificate request
policy that allows automatic enrollment for domain computers: 1. Click
Start , point to Programs , point to Administrative Tools , and then
Next .Active Directory Users and Computers .
2. In the Active Directory Users and Computers console, right-click
your
domain name, and then click Properties .
3. Click the Group Policy tab, click a domain group policy object, and
then
click Edit .
4. In the Group Policy console, expand the Computer Configuration node,
expand the Windows Settings node, expand the Security Settings node,
and
then expand the Public Key Policies node.
5. Right-click the Automatic Certificate Request Settings node, point
to
New , and then click Automatic Certificate Request .
6. When the Automatic CertificateRequest Setup Wizard starts, click
the7. On the Certificate Template page, click the template you require. In
this example, click the IPSEC template, and then click Next .
8. On the Certificate Authority page, select the enterprise CA for your
domain by placing a checkmark in the check box to the left of the CA.
Click
Next .
9. On the Completing the Automatic Certificate Request Setup page,
click
Finish . The new certificate is automatically requested the next time
domain.user logs on or the next time the domain Group Policy is refreshed. The
certificate will be installed on new computers when they join the
rights.
Hope this helps.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
the======================================================
--------------------
<WOcuY4FhGHA.5608@xxxxxxxxxxxxxxxxxxxxx>From: "Scott Townsend" <scooter@xxxxxxxxxxxxxxxx>
References: <u0qmgrBhGHA.1520@xxxxxxxxxxxxxxxxxxxx>
microsoft.public.win2000.active_directory:114076Subject: Re: Cert Server - Changed Enterprise CA
Date: Thu, 1 Jun 2006 10:05:44 -0700
Lines: 79
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <eHN8f2ZhGHA.3572@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
X-Tomcat-NG: microsoft.public.win2000.active_directory
How do I have them do that?
Can I put it in the Login Script for the Domain?
Thank you,
"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:WOcuY4FhGHA.5608@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Scott,
Of course you need to have the PCs/Servers request a new Cert from
newsreadernew
CA
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gblrights.so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
======================================================
--------------------
From: "Scott Townsend" <scooter@xxxxxxxxxxxxxxxx>
Subject: Cert Server - Changed Enterprise CA
Date: Tue, 30 May 2006 11:57:18 -0700
Lines: 19
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <u0qmgrBhGHA.1520@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path:
wemicrosoft.public.win2000.active_directory:114022Xref: TK2MSFTNGXA01.phx.gbl
X-Tomcat-NG: microsoft.public.win2000.active_directory
We had some issues with one of our DCs and with MS Support's Advice
washad
to demote it, which involved removing the Enterprise Root CA that
thaton
it.
I installed a new Enterprise Root CA on a new DC, though not sure
theAD
Enterpriseis
happy.
I originally installed the CA to be used with our Cisco PIX and VPN
connections, though later found out that you could not use an
there.Root and needed a Standalone Root. I just left the Enterprise Root
I
mightdidn't think it was really used for anything. Though now I think
it
have been.
The old cert server had Certs issued to each of the PCs/Servers in
CA?domain. How do I get the new Cert Server to issue new certs to the
PCs/Servers or have the PCs/Servers request a new Cert from the
new
Thanks,
Scott<-
.
- Follow-Ups:
- Re: Cert Server - Changed Enterprise CA
- From: Vincent Xu [MSFT]
- Re: Cert Server - Changed Enterprise CA
- References:
- Re: Cert Server - Changed Enterprise CA
- From: Scott Townsend
- Re: Cert Server - Changed Enterprise CA
- From: Vincent Xu [MSFT]
- Re: Cert Server - Changed Enterprise CA
- From: Scott Townsend
- Re: Cert Server - Changed Enterprise CA
- From: Vincent Xu [MSFT]
- Re: Cert Server - Changed Enterprise CA
- Prev by Date: Authentication without the FSMO PDC
- Next by Date: Re: slow login problems at branch office
- Previous by thread: Re: Cert Server - Changed Enterprise CA
- Next by thread: Re: Cert Server - Changed Enterprise CA
- Index(es):
Relevant Pages
|
