Guest james Posted August 13, 2008 Posted August 13, 2008 I have a certificate authority already registered in AD, unfortunately it has 2 problems. 1. it has a mis-leading name 2. I can't load certificate templates my questions are 1. can I rename it (I guess not) 2. why won't it let me load templates 3. should I give up on it, build a new root and subordinate CA tree, move the services to the new tree and then remove the old one ? 4. as I have a multi-tree AD forest should the root-CA go in the root domain ? many thanks James Quote
Guest Brian Komar \(MVP\) Posted August 13, 2008 Posted August 13, 2008 1) Is the CA a standalone CA or an enterprise CA. When following best practices, the root is offline in a two-tiered CA hierarchy, and only the issuing CAs are online and members of the domain. 2) What do you mean by (I can't load certificate templates). This sounds like you cannot load custom V2 certificate templates. If this is the case, you built the CA on Standard Edition, and not on Enteprise Edition. Only an enteprise CA running on Enterprise Edition can issue certificate based on v2 certificate templtaes. 3) You cannot rename a CA, so uninstall and reinstall or replacement are the only options 4) You need to read the best practices whitepaper available at www.microsoft.com/pki 5) The root CA is never a domain member if it is an offline CA 6) It really does not matter which domain hosts an enterprise CA in a multi-domain forest. Enrollment and management is all based on group permissions. Brian "james" <james@discussions.microsoft.com> wrote in message news:FB74ED5C-8B42-4E9A-A60B-027BA905470C@microsoft.com...<span style="color:blue"> >I have a certificate authority already registered in AD, unfortunately it >has > 2 problems. > > 1. it has a mis-leading name > 2. I can't load certificate templates > > my questions are > > 1. can I rename it (I guess not) > 2. why won't it let me load templates > 3. should I give up on it, build a new root and subordinate CA tree, move > the services to the new tree and then remove the old one ? > 4. as I have a multi-tree AD forest should the root-CA go in the root > domain ? > > many thanks > > James > </span> Quote
Guest Jorge de Almeida Pinto [MVP - DS Posted August 18, 2008 Posted August 18, 2008 1 no 2 probably it is a standard CA instead of an enterprise CA which does allow to configure cert templates 3 probably yes, if you are not happy with it (see: MS-KBQ555151_How to remove manually Enterprise Windows Certificate Authority from Windows 2000-2003 Domain MS-KBQ889250_How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server ) 4 what is the purpose of each domain and in which domain are objects that need the certs? -- Cheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services # BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx ------------------------------------------------------------------------------------------ How to ask a question --> http://support.microsoft.com/?id=555375 ------------------------------------------------------------------------------------------ This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! ------------------------------------------------------------------------------------------ ################################################# ################################################# ------------------------------------------------------------------------------------------ "james" <james@discussions.microsoft.com> wrote in message news:FB74ED5C-8B42-4E9A-A60B-027BA905470C@microsoft.com...<span style="color:blue"> >I have a certificate authority already registered in AD, unfortunately it >has > 2 problems. > > 1. it has a mis-leading name > 2. I can't load certificate templates > > my questions are > > 1. can I rename it (I guess not) > 2. why won't it let me load templates > 3. should I give up on it, build a new root and subordinate CA tree, move > the services to the new tree and then remove the old one ? > 4. as I have a multi-tree AD forest should the root-CA go in the root > domain ? > > many thanks > > James > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.