Re: Autoenrollment - What Does it Do!?
- From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
- Date: Wed, 15 Nov 2006 07:11:57 -0000
When you install certificate services somewhere in your forest, a DC
template becomes available. DCs will auto-enrol this if they're not running
SP1. If they're running SP1 you must add them to the CERTSVC... group
before they will auto-enrol.
The certificate allows the DCs to perform LDAPS, which is LDAP over SSL. So
its basically an SSL cert.
You are now able to perform simple binds over a secure channel if you use
the explicit host name. Serverless bind won't work due to a hostname and
cert mismatch.
Does it enable encrypted communication to the other DC?
No. You'll need to use IPSec for that. When you do, you can choose to use
either Kerberos or Certificates. Certificates is better; we've had some
issues with Kerberos.
Is the replication data encrypted for transfer?
It is anyway. It's done via secure RPC. If that isn't enough for you, you
have to use IPSec.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- References:
- Autoenrollment - What Does it Do!?
- From: Will Niccolls
- Autoenrollment - What Does it Do!?
- Prev by Date: Re: Deploying software remotely
- Next by Date: HELP!!! Demoting and promoting a 2003 DC
- Previous by thread: Re: Autoenrollment - What Does it Do!?
- Next by thread: Re: Autoenrollment - What Does it Do!?
- Index(es):
Relevant Pages
|
