Re: Cert Server - Changed Enterprise CA
- From: v-xuwen@xxxxxxxxxxxxxxxxxxxx (Vincent Xu [MSFT])
- Date: Wed, 14 Jun 2006 01:53:11 GMT
Hi Scotter,
I'm back. :)
I build a test machine with CA to test your issue and I get the same result
that when adding the Automatic Certificate Request entry, there was not an
option to select a CA. Therefore, I try to find out why. The Automatic
Certificate Request Setup Wizard asks which certification authority (CA) it
should query when the wizard runs on Windows 2000. The wizard will not
prompt you when it runs on Windows XP or the Windows Server 2003 family.
more information
<http://technet2.microsoft.com/WindowsServer/en/Library/9699f873-7ddd-4805-9
953-a2d62e95e4d61033.mspx?mfr=true>
Hope this helps
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
<WOcuY4FhGHA.5608@xxxxxxxxxxxxxxxxxxxxx>X-Tomcat-ID: 189306739
References: <u0qmgrBhGHA.1520@xxxxxxxxxxxxxxxxxxxx>
<eHN8f2ZhGHA.3572@xxxxxxxxxxxxxxxxxxxx>
<pgQjN9ghGHA.2260@xxxxxxxxxxxxxxxxxxxxx>
<#w9pZXciGHA.4276@xxxxxxxxxxxxxxxxxxxx>
<hlXZ69hiGHA.4948@xxxxxxxxxxxxxxxxxxxxx>
<#zouQ0jiGHA.3496@xxxxxxxxxxxxxxxxxxxx>
<yBqrg5tiGHA.4528@xxxxxxxxxxxxxxxxxxxxx>
<uQ1rEmwiGHA.412@xxxxxxxxxxxxxxxxxxxx>
microsoft.public.win2000.active_directory:114289MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
From: v-xuwen@xxxxxxxxxxxxxxxxxxxx (Vincent Xu [MSFT])
Organization: Microsoft
Date: Fri, 09 Jun 2006 10:02:24 GMT
Subject: Re: Cert Server - Changed Enterprise CA
X-Tomcat-NG: microsoft.public.win2000.active_directory
Message-ID: <0QHgav6iGHA.5720@xxxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.win2000.active_directory
Lines: 428
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
I'llNNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
Hi Scotter,
I trying to build a test enviroment to reproduce your issue.Meanwhile,
rights.try to research this. Hope I can give a explanation.
Thanks for your patience.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
the======================================================
--------------------
<WOcuY4FhGHA.5608@xxxxxxxxxxxxxxxxxxxxx>From: "Scott Townsend" <scooter@xxxxxxxxxxxxxxxx>
References: <u0qmgrBhGHA.1520@xxxxxxxxxxxxxxxxxxxx>
<eHN8f2ZhGHA.3572@xxxxxxxxxxxxxxxxxxxx>
<pgQjN9ghGHA.2260@xxxxxxxxxxxxxxxxxxxxx>
<#w9pZXciGHA.4276@xxxxxxxxxxxxxxxxxxxx>
<hlXZ69hiGHA.4948@xxxxxxxxxxxxxxxxxxxxx>
<#zouQ0jiGHA.3496@xxxxxxxxxxxxxxxxxxxx>
<yBqrg5tiGHA.4528@xxxxxxxxxxxxxxxxxxxxx>
microsoft.public.win2000.active_directory:114259Subject: Re: Cert Server - Changed Enterprise CA
Date: Thu, 8 Jun 2006 07:40:40 -0700
Lines: 400
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <uQ1rEmwiGHA.412@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
X-Tomcat-NG: microsoft.public.win2000.active_directory
So on a PC/Server I can load up the Certificates Snap-in and look at
sogolocal machine's Trusted Root CAs.
In there are all the normal ones and my three
Standalone (enmvpnca)
Old Enterprise Root CA (ENMInternal)
New Enterprise Root CA (EandMInternal)
So All three are listed in there.
I guess I was wondering why in the GPO editor for adding the Automatic
Certificate Request entry, there was not an option to select a CA. If I
placeinto the Properties and try to edit the entry that is there, I see the
didn'twhere you are supposed to select a CA, but the list is empty.
Thank you,
Scott<-=
"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:yBqrg5tiGHA.4528@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Scotter,
I found one sentence in your first post:
"though later found out that you could not use an Enterprise Root and
needed a Standalone Root. I just left the Enterprise Root there. I
think it was really used for
anything"
If the CA is not Enterprise Root, it will not appear in the Trusted CA
Then, Please make sure you are checking "Trusted Root CA" not checking
"Trusted Publishers"
At last, please check, it the old CA appears in the Trusted CA list?
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader
addedrights.that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
the======================================================
--------------------
<WOcuY4FhGHA.5608@xxxxxxxxxxxxxxxxxxxxx>From: "Scott Townsend" <scooter@xxxxxxxxxxxxxxxx>
References: <u0qmgrBhGHA.1520@xxxxxxxxxxxxxxxxxxxx>
<eHN8f2ZhGHA.3572@xxxxxxxxxxxxxxxxxxxx>
<pgQjN9ghGHA.2260@xxxxxxxxxxxxxxxxxxxxx>
<#w9pZXciGHA.4276@xxxxxxxxxxxxxxxxxxxx>
<hlXZ69hiGHA.4948@xxxxxxxxxxxxxxxxxxxxx>
microsoft.public.win2000.active_directory:114203Subject: Re: Cert Server - Changed Enterprise CA
Date: Wed, 7 Jun 2006 07:17:08 -0700
Lines: 285
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <#zouQ0jiGHA.3496@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
X-Tomcat-NG: microsoft.public.win2000.active_directory
So I removed it and readded it, and it looks like I get a new Cert.
Though why doesn't the CA show up as one of the listed Trusted CA in
newsreadersinceAutomatic Certificate Request entry?
Thanks,
Scott<-
"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:hlXZ69hiGHA.4948@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Scott ,
Yes, please remove the original Computer Certificate in default GPO
it is generated by the old CA.
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gblrights.so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
======================================================
--------------------
<WOcuY4FhGHA.5608@xxxxxxxxxxxxxxxxxxxxx>From: "Scott Townsend" <scooter@xxxxxxxxxxxxxxxx>
References: <u0qmgrBhGHA.1520@xxxxxxxxxxxxxxxxxxxx>
<eHN8f2ZhGHA.3572@xxxxxxxxxxxxxxxxxxxx>
<pgQjN9ghGHA.2260@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Cert Server - Changed Enterprise CA
Date: Tue, 6 Jun 2006 17:03:42 -0700
Lines: 198
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <#w9pZXciGHA.4276@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path:
microsoft.public.win2000.active_directory:114179Xref: TK2MSFTNGXA01.phx.gbl
X-Tomcat-NG: microsoft.public.win2000.active_directory
So as per the Instructions I added an IPSec Cert Template and
and Ithat
to
machinethe Default Group Policy. That worked fine. I rebooted and not my
has an IPSec Cert from the new CA.
Though the Computer Certificate was already in the Default GPO
todid
properties on it and went through all the pages and it didn't ask
readdreassociate it with the new CA. Would I want to Delete it and
messagethe
Computer Template?
Thanks,
Scott<-
"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in
knowsteps:Windowsnews:pgQjN9ghGHA.2260@xxxxxxxxxxxxxxxxxxxxxxxx
Hi,
To manually request a Cert, you can refer to following article:
323342 How to install a certificate for use with IP Security in
Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;323342
To automatically get a Cert by GP, you can refer to following
Before you create an automatic certificate request, you must
object,certificate.automatically.the
following:
1. The type of certificate you want computers to enroll for
2. The certification authority (CA) that will issue the
note
Install a Certificate Template
Use the following steps to install a certificate template, and
Tools ,Directorythat
these steps must be performed on an enterprise CA in the Active
domain:
1. Click Start , point to Programs , point to Administrative
name,and
then click Certificate Authority .
2. In the Certification Authority console, expand your domain
Newright-click the Policy Settings node in the left pane, point to
certificate ,certificateand,
then click Certificate to Issue .
3. In the Select Certificate Template dialog box, click the
template you require. In this example, click the IPSEC
thenClickand
then click OK .
4. Quit the Certification Authority console.
Configure the Automatic Certificate Request Policy
Use the following steps to configure an automatic certificate
request
policy that allows automatic enrollment for domain computers: 1.
Start , point to Programs , point to Administrative Tools , and
right-clickclick
Active Directory Users and Computers .
2. In the Active Directory Users and Computers console,
your
domain name, and then click Properties .
3. Click the Group Policy tab, click a domain group policy
Configurationand
then
click Edit .
4. In the Group Policy console, expand the Computer
fornode,node,
expand the Windows Settings node, expand the Security Settings
clickpointand
then expand the Public Key Policies node.
5. Right-click the Automatic Certificate Request Settings node,
to
New , and then click Automatic Certificate Request .
6. When the Automatic CertificateRequest Setup Wizard starts,
require.Next .
7. On the Certificate Template page, click the template you
In
this example, click the IPSEC template, and then click Next .
8. On the Certificate Authority page, select the enterprise CA
theyour
domain by placing a checkmark in the check box to the left of
page,CA.
Click
Next .
9. On the Completing the Automatic Certificate Request Setup
nextclick
Finish . The new certificate is automatically requested the
therefreshed.thetime
user logs on or the next time the domain Group Policy is
The
certificate will be installed on new computers when they join
nonewsreaderdomain.
Hope this helps.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers
CertmessageTK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gblrights.
======================================================
--------------------
<WOcuY4FhGHA.5608@xxxxxxxxxxxxxxxxxxxxx>From: "Scott Townsend" <scooter@xxxxxxxxxxxxxxxx>
References: <u0qmgrBhGHA.1520@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Cert Server - Changed Enterprise CA
Date: Thu, 1 Jun 2006 10:05:44 -0700
Lines: 79
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <eHN8f2ZhGHA.3572@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path:
microsoft.public.win2000.active_directory:114076Xref: TK2MSFTNGXA01.phx.gbl
X-Tomcat-NG: microsoft.public.win2000.active_directory
How do I have them do that?
Can I put it in the Login Script for the Domain?
Thank you,
"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in
news:WOcuY4FhGHA.5608@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Scott,
Of course you need to have the PCs/Servers request a new
CAconfersfrom
the
newsreadernew
CA
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your
so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and
AdviceTK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gblrights.no
======================================================
--------------------
From: "Scott Townsend" <scooter@xxxxxxxxxxxxxxxx>
Subject: Cert Server - Changed Enterprise CA
Date: Tue, 30 May 2006 11:57:18 -0700
Lines: 19
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-RFC2646: Format=Flowed; Original
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Message-ID: <u0qmgrBhGHA.1520@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.win2000.active_directory
NNTP-Posting-Host: 204-145-245-49.enm.com 204.145.245.49
Path:
microsoft.public.win2000.active_directory:114022Xref: TK2MSFTNGXA01.phx.gbl
X-Tomcat-NG: microsoft.public.win2000.active_directory
We had some issues with one of our DCs and with MS Support's
we
had
to demote it, which involved removing the Enterprise Root
notwasthat
on
it.
I installed a new Enterprise Root CA on a new DC, though
anandthatsure
AD
is
happy.
I originally installed the CA to be used with our Cisco PIX
VPN
connections, though later found out that you could not use
EnterpriseEnterprise
Root and needed a Standalone Root. I just left the
toPCs/ServersRoot
thinkthere.
I
didn't think it was really used for anything. Though now I
mightit
have been.
The old cert server had Certs issued to each of the
in
the
domain. How do I get the new Cert Server to issue new certs
fromthe
PCs/Servers or have the PCs/Servers request a new Cert
the
CA?new
Thanks,
Scott<-
.
- References:
- Re: Cert Server - Changed Enterprise CA
- From: Scott Townsend
- Re: Cert Server - Changed Enterprise CA
- From: Vincent Xu [MSFT]
- Re: Cert Server - Changed Enterprise CA
- From: Scott Townsend
- Re: Cert Server - Changed Enterprise CA
- From: Vincent Xu [MSFT]
- Re: Cert Server - Changed Enterprise CA
- From: Scott Townsend
- Re: Cert Server - Changed Enterprise CA
- From: Vincent Xu [MSFT]
- Re: Cert Server - Changed Enterprise CA
- From: Scott Townsend
- Re: Cert Server - Changed Enterprise CA
- From: Vincent Xu [MSFT]
- Re: Cert Server - Changed Enterprise CA
- Prev by Date: Re: Query
- Next by Date: AD not openning
- Previous by thread: Re: Cert Server - Changed Enterprise CA
- Next by thread: Re: Administartor Tools
- Index(es):
Relevant Pages
|
