Re: Windows Server 2003 Enterprise PKI

Tech-Archive recommends: Fix windows errors by optimizing your registry

The root CA in your PKI does not need to be WS2K3 Enterprise Edition.

The issuing CA in your domain should be WS2K3 Enterprise Edition to enable
V2 templates and to achieve auto enrollment, etc.

What is your architecture? Why do you have three CA's? Are they chained or
do you have two issuing CA's?

You will find more information on this subject in the
microsoft.public.security.crypto newsgroup.

"Alyas_Razzaq" <AlyasRazzaq@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EC802A42-F87E-4E5B-8970-D9EA94B6D894@xxxxxxxxxxxxxxxx
Thank you for the response. Our setup here is made up of a single child
domain within the forest. All resources are contained within the child
domain
and we currently have 13 different sites.

If we wanted to make use of user certificate auto-enrolment, could this be
acheived with only one Win2K3 Enterprise Ed. server CA or would both
servers
need to be running Enterprise Ed.

Also, I'm assuming if we only wanted to invest in a single copy of
Enterprise Ed of Win2K3, then this should be one of the issuing CA's and
not
the offline root CA.

Thanks

"Paul Nelson" wrote:

You need the Enterprise version to work with the v2 templates. From my
experience, you only need the Enterprise version to edit V2 templates. I
always use Enterprise for my CA, so I can't say for sure if you can edit
templates on the Enterprise and import them on the basic version. The
basic
version does issue certificates using V2 templates, but won't let you
edit
them.

Paul Nelson
Thursby Software Systems, Inc.

in article C3597523-ECEA-4C53-9CFA-3F8FB0C8BCC8@xxxxxxxxxxxxx,
Alyas_Razzaq
at Alyas_Razzaq@xxxxxxxxxxxxxxxxxxxxxxxxx wrote on 10/27/06 4:41 AM:

Hi all, we are looking to implement a pki setup. All the servers that
will be
some form of a CA will be running Windows Server 2003 Standard Ed. We
will
have a two-tier setup, with an offline root CA and 2 subordinate
issuing CA's.

We would like to make use of V2 templates for things like:
- Auto-enrollment of computer and user certificates
- Workstation Authentication
- etc etc

Would we be able to get away with having one of the issuing CA's
running
Enterprise Ed. of Server 2003, or would both issuing servers need to be
running Enterprise ed. or would all 3 need to be running Enterprise Ed?

Thank You




.

Relevant Pages

  • Re: "Edition" error in 2003 upgrade
    ... Yes, that checkbox is there, but it is not checked. ... suppose that means the server is running enterprise? ...
    (microsoft.public.exchange.setup)
  • Re: Windows Server 2003 Enterprise PKI
    ... I personally don't know how two issuing CAs interact in this situation. ... I would say it is safest to have all issuing CAs be Enterprise ... CA's need to be running Enterprise Ed. or can just one be, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows Server 2003 Enterprise PKI
    ... We have an empty root domain and one child domain where all our AD resources ... One of the suborninate issuing CA's will be ... Win2k3 Enterprise Ed. with regards to V2 templates, ... CA's need to be running Enterprise Ed. or can just one be, ...
    (microsoft.public.windows.server.active_directory)
  • RE: Upgrade from Standalone to Enterprise
    ... Issuing is Enterprise, Root and Sub is standalone. ...
    (microsoft.public.security)
  • Re: Windows Server 2003 Enterprise PKI
    ... "Enterprise CA" just means the machine uses Active Directory, ... Would we be able to get away with having one of the issuing CA's running ... Enterprise Ed. of Server 2003, or would both issuing servers need to be ... running Enterprise ed. or would all 3 need to be running Enterprise Ed? ...
    (microsoft.public.windows.server.active_directory)