Re: Autoenrollment - What Does it Do!?
- From: "Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx>
- Date: Tue, 14 Nov 2006 18:42:26 -0500
In news:O5J30xCCHHA.4844@xxxxxxxxxxxxxxxxxxxx,
Will Niccolls <leatherwon@xxxxxxxxx> stated, which I commented on below:
I was able to fix autoenrollment failure events (access denied) that
occurred on our two new domain controllers (2003 SP1) by adding their
computer account to the
CERTSVC_DCOM_ACCESS
group.
Now I'd like to explain to my boss why this matters. What does the
autoenrollment function do in the case of these DC's? Does it enable
encrypted communication to the other DC? Is the replication data
encrypted for transfer?
Thanks, Will
Autoenrollment, when configured for it in a GPO with the correct certificate
version (only an issuing CA on 2003 Enterprise will support v2 certs),
tells all computers and users to autoenroll, this includes DCs. Not that
they necessarily will use the cert, and it also depends on what type of cert
you are dishing out (wireless authentication, user smart card, etc).
For more info, may I suggest to post this question in the
microsoft.public.security.crypto newsgroups. Those guys deal with it on a
daily basis.
In the meantime, here are some pertinent links that will explain most of
this:
Certificate Autoenrollment in Windows Server 2003:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Selecting Certificate Templates Public Key (need enterprise to make
autoenrollment work):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/c71d2cd3-82ef-4e3c-8746-1340d0ef4e9a.mspx
Configure a certificate template for client autoenrollment:
http://technet2.microsoft.com/WindowsServer/en/Library/47f1c981-7c04-48b0-a697-56db5ba00a8e1033.mspx
Problems Installing Certificate Services After You Apply the Q323172 Patch:
http://support.microsoft.com/default.aspx?scid=kb;en-us;328595
Certificate Services Operations Guide- Certificate Services Operations:
http://www.microsoft.com/technet/itsolutions/wssra/raguide/CertificateServices/CrtSevcOG_2.mspx
The Secure Access Using Smart Cards Planning Guide - Chapter 3 - Using Smart
Cards to Help Secure Administrator Accounts:
http://www.microsoft.com/technet/security/topics/networksecurity/securesmartcards/scpgch03.mspx
--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."
The only constant in life is change...
.
- References:
- Autoenrollment - What Does it Do!?
- From: Will Niccolls
- Autoenrollment - What Does it Do!?
- Prev by Date: Re: Deploying software remotely
- Next by Date: Re: AD change breaks PC admin rights
- Previous by thread: Autoenrollment - What Does it Do!?
- Next by thread: Re: Autoenrollment - What Does it Do!?
- Index(es):
Relevant Pages
|
