Jump to content

Enterprise CA options greyed out.

Guest Gunna

By Guest Gunna
in Techno Babble

 Share

Recommended Posts

Guest Gunna

Guest Gunna

Posted
Posted

I have an issue in Production im trying to solve so I decided to replicate

the setup using Virtual PC. I have my DC up and running, then I setup a

member Server running 2003 Server Standard with SP2, this is going to be my

replica standalone root CA.

 

The strange thing I get is when I go to setup Certificate services the

options for Enterprise CA and Enterpriose subordinate are available but when

I set this up in production they where greyed out. I assumed they where not

available becuase I was running Server standard but here in my lab I

isntalled Standard and the Enterprise options are available. As if PKI wasnt

confusing enough.

  • Replies 9
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Paul Adare - MVP

Guest Paul Adare - MVP

Posted
Posted

On Mon, 1 Sep 2008 20:01:01 -0700, Gunna wrote:

<span style="color:blue">

> I have an issue in Production im trying to solve so I decided to replicate

> the setup using Virtual PC. I have my DC up and running, then I setup a

> member Server running 2003 Server Standard with SP2, this is going to be my

> replica standalone root CA.

>

> The strange thing I get is when I go to setup Certificate services the

> options for Enterprise CA and Enterpriose subordinate are available but when

> I set this up in production they where greyed out. I assumed they where not

> available becuase I was running Server standard but here in my lab I

> isntalled Standard and the Enterprise options are available. As if PKI wasnt

> confusing enough.</span>

 

The account you're logged in with needs to be an Enterprise Admin account.

 

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

Your password is pitifully obvious.

Guest Gunna

Guest Gunna

Posted
Posted

Thanks Paul but im afraid i am just more confused. Can you answer a question

for me becuase I read conflicting things. You can or cannot run Enterprise

CA or Enterprise Sub on Standard edition? What the differnece between

running Enterprise on a standard servers versus Enteprise edition server?

 

 

And further to my original post. I am logged onto the member server as a

member of the Domain Admin group only but I can see the option to select

Enterprise Root or Enterprise Sub. Could I be seeing it becuase the Domain

Admins group is a member of the Administrators group in Active Directory?

 

 

"Paul Adare - MVP" wrote:

<span style="color:blue">

> On Mon, 1 Sep 2008 20:01:01 -0700, Gunna wrote:

> <span style="color:green">

> > I have an issue in Production im trying to solve so I decided to replicate

> > the setup using Virtual PC. I have my DC up and running, then I setup a

> > member Server running 2003 Server Standard with SP2, this is going to be my

> > replica standalone root CA.

> >

> > The strange thing I get is when I go to setup Certificate services the

> > options for Enterprise CA and Enterpriose subordinate are available but when

> > I set this up in production they where greyed out. I assumed they where not

> > available becuase I was running Server standard but here in my lab I

> > isntalled Standard and the Enterprise options are available. As if PKI wasnt

> > confusing enough.</span>

>

> The account you're logged in with needs to be an Enterprise Admin account.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> Your password is pitifully obvious.

> </span>

Guest Gunna

Guest Gunna

Posted
Posted

Brian,

 

Found some conflicting things. Firstly as you have already said you need to

be an Enterprise admin to install an Enterprise Root CA and if you refer to

this article http://technet.microsoft.com/en-us/library/cc776709.aspx is says

the same.

 

However,

 

I just built a new environment. Standard Server 2003 SP2 domain controller

and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd machine

as a user with local admin to the second server only (only domain membership

was Domain Users) and tried to install PKI and sure enough I only got the

Standalone options. I stopped the install and then logged on using an

account i created and placed only in the Domain Users and Domain Admins

groups. Then started to install Certificate services and I got both the

Enterprise and Standalone options. I then installed it completely as

Enterprise Root CA as a Domain Admin only with no visible errors or issues.

So what is the Enterprise Admin requriment for?

 

"Brian Komar (MVP)" wrote:

<span style="color:blue">

> Gunna,

> In your test environment, the account is a member of the Enterprise Admins

> group (either directly or through a group nesting).

> - You can run an enterprise CA on the Standard, Enteprise, or Data Center

> edition SKUs

> - To get full functionality, you need to run on Enterprise or Data Center

> SKUs

> Full Functionality includes: issue certs on V2 cert templates, Key

> archival,

> Brian

>

> "Gunna" <Gunna@discussions.microsoft.com> wrote in message

> news:6F2DAA82-E6F9-41E6-B38B-0F5660C14C94@microsoft.com...<span style="color:green">

> > Thanks Paul but im afraid i am just more confused. Can you answer a

> > question

> > for me becuase I read conflicting things. You can or cannot run

> > Enterprise

> > CA or Enterprise Sub on Standard edition? What the differnece between

> > running Enterprise on a standard servers versus Enteprise edition server?

> >

> >

> > And further to my original post. I am logged onto the member server as a

> > member of the Domain Admin group only but I can see the option to select

> > Enterprise Root or Enterprise Sub. Could I be seeing it becuase the

> > Domain

> > Admins group is a member of the Administrators group in Active Directory?

> >

> >

> > "Paul Adare - MVP" wrote:

> ><span style="color:darkred">

> >> On Mon, 1 Sep 2008 20:01:01 -0700, Gunna wrote:

> >>

> >> > I have an issue in Production im trying to solve so I decided to

> >> > replicate

> >> > the setup using Virtual PC. I have my DC up and running, then I setup

> >> > a

> >> > member Server running 2003 Server Standard with SP2, this is going to

> >> > be my

> >> > replica standalone root CA.

> >> >

> >> > The strange thing I get is when I go to setup Certificate services the

> >> > options for Enterprise CA and Enterpriose subordinate are available but

> >> > when

> >> > I set this up in production they where greyed out. I assumed they

> >> > where not

> >> > available becuase I was running Server standard but here in my lab I

> >> > isntalled Standard and the Enterprise options are available. As if PKI

> >> > wasnt

> >> > confusing enough.

> >>

> >> The account you're logged in with needs to be an Enterprise Admin

> >> account.

> >>

> >> --

> >> Paul Adare

> >> MVP - Identity Lifecycle Manager

> >> http://www.identit.ca

> >> Your password is pitifully obvious.

> >> </span></span>

> </span>

Guest Gunna

Guest Gunna

Posted
Posted

Further to my other post I just made. I also found that if you install a

Standalone Root CA logged in as a domain Admin, and not anDomain + Enterprise

admin, the CRL publihses to AD ok even though it isnt a Enterprise CA. I

thought that Standalones had to be manually published to AD or is that if

they are not domani members?

 

"Brian Komar (MVP)" wrote:

<span style="color:blue">

> Gunna,

> In your test environment, the account is a member of the Enterprise Admins

> group (either directly or through a group nesting).

> - You can run an enterprise CA on the Standard, Enteprise, or Data Center

> edition SKUs

> - To get full functionality, you need to run on Enterprise or Data Center

> SKUs

> Full Functionality includes: issue certs on V2 cert templates, Key

> archival,

> Brian

>

> "Gunna" <Gunna@discussions.microsoft.com> wrote in message

> news:6F2DAA82-E6F9-41E6-B38B-0F5660C14C94@microsoft.com...<span style="color:green">

> > Thanks Paul but im afraid i am just more confused. Can you answer a

> > question

> > for me becuase I read conflicting things. You can or cannot run

> > Enterprise

> > CA or Enterprise Sub on Standard edition? What the differnece between

> > running Enterprise on a standard servers versus Enteprise edition server?

> >

> >

> > And further to my original post. I am logged onto the member server as a

> > member of the Domain Admin group only but I can see the option to select

> > Enterprise Root or Enterprise Sub. Could I be seeing it becuase the

> > Domain

> > Admins group is a member of the Administrators group in Active Directory?

> >

> >

> > "Paul Adare - MVP" wrote:

> ><span style="color:darkred">

> >> On Mon, 1 Sep 2008 20:01:01 -0700, Gunna wrote:

> >>

> >> > I have an issue in Production im trying to solve so I decided to

> >> > replicate

> >> > the setup using Virtual PC. I have my DC up and running, then I setup

> >> > a

> >> > member Server running 2003 Server Standard with SP2, this is going to

> >> > be my

> >> > replica standalone root CA.

> >> >

> >> > The strange thing I get is when I go to setup Certificate services the

> >> > options for Enterprise CA and Enterpriose subordinate are available but

> >> > when

> >> > I set this up in production they where greyed out. I assumed they

> >> > where not

> >> > available becuase I was running Server standard but here in my lab I

> >> > isntalled Standard and the Enterprise options are available. As if PKI

> >> > wasnt

> >> > confusing enough.

> >>

> >> The account you're logged in with needs to be an Enterprise Admin

> >> account.

> >>

> >> --

> >> Paul Adare

> >> MVP - Identity Lifecycle Manager

> >> http://www.identit.ca

> >> Your password is pitifully obvious.

> >> </span></span>

> </span>

Guest Paul Adare - MVP

Guest Paul Adare - MVP

Posted
Posted

On Wed, 3 Sep 2008 22:36:06 -0700, Gunna wrote:

<span style="color:blue">

> I just built a new environment. Standard Server 2003 SP2 domain controller

> and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd machine

> as a user with local admin to the second server only (only domain membership

> was Domain Users) and tried to install PKI and sure enough I only got the

> Standalone options. I stopped the install and then logged on using an

> account i created and placed only in the Domain Users and Domain Admins

> groups. Then started to install Certificate services and I got both the

> Enterprise and Standalone options. I then installed it completely as

> Enterprise Root CA as a Domain Admin only with no visible errors or issues.

> So what is the Enterprise Admin requriment for?</span>

 

The Domain Admins group in a single domain forest, or in the root domain of

a multi-domain forest have more powers than does the Domain Admins group in

child domains. You're still better off getting in the habit of using

Enterprise Admins as that group will always be able to install and

Enterprise CA, regardless of the domain/forest structure.

 

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

Compile: A heap of decomposing vegetable matter.

Guest Gunna

Guest Gunna

Posted
Posted

..Brian,

 

I'm not doubting you I just dont see where. But i think i know how so

please confirm. I built a new AD, created a new user account and placed it

into Domain ADmins. Confirmed that Domain Admins or this user is not a

Member of Enterprise Admins. However, the Domain Admins and the Enterprise

Admins are both a member of the Administrators Group. I assuem this is where

the access is coming from, right? Say yes and i'll accep it style_emoticons/

 

"Brian Komar (MVP)" wrote:

<span style="color:blue">

> Sigh...

> The account you used was in the Enterprise Admins group. End of story.

> How many domains in your forest? My guess is one.

> Brian

>

> "Gunna" <Gunna@discussions.microsoft.com> wrote in message

> news:4FC918AB-8D77-4AB7-B879-301CCC6355B7@microsoft.com...<span style="color:green">

> > Brian,

> >

> > Found some conflicting things. Firstly as you have already said you need

> > to

> > be an Enterprise admin to install an Enterprise Root CA and if you refer

> > to

> > this article http://technet.microsoft.com/en-us/library/cc776709.aspx is

> > says

> > the same.

> >

> > However,

> >

> > I just built a new environment. Standard Server 2003 SP2 domain

> > controller

> > and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd

> > machine

> > as a user with local admin to the second server only (only domain

> > membership

> > was Domain Users) and tried to install PKI and sure enough I only got the

> > Standalone options. I stopped the install and then logged on using an

> > account i created and placed only in the Domain Users and Domain Admins

> > groups. Then started to install Certificate services and I got both the

> > Enterprise and Standalone options. I then installed it completely as

> > Enterprise Root CA as a Domain Admin only with no visible errors or

> > issues.

> > So what is the Enterprise Admin requriment for?

> >

> > "Brian Komar (MVP)" wrote:

> ><span style="color:darkred">

> >> Gunna,

> >> In your test environment, the account is a member of the Enterprise

> >> Admins

> >> group (either directly or through a group nesting).

> >> - You can run an enterprise CA on the Standard, Enteprise, or Data Center

> >> edition SKUs

> >> - To get full functionality, you need to run on Enterprise or Data Center

> >> SKUs

> >> Full Functionality includes: issue certs on V2 cert templates, Key

> >> archival,

> >> Brian

> >>

> >> "Gunna" <Gunna@discussions.microsoft.com> wrote in message

> >> news:6F2DAA82-E6F9-41E6-B38B-0F5660C14C94@microsoft.com...

> >> > Thanks Paul but im afraid i am just more confused. Can you answer a

> >> > question

> >> > for me becuase I read conflicting things. You can or cannot run

> >> > Enterprise

> >> > CA or Enterprise Sub on Standard edition? What the differnece between

> >> > running Enterprise on a standard servers versus Enteprise edition

> >> > server?

> >> >

> >> >

> >> > And further to my original post. I am logged onto the member server as

> >> > a

> >> > member of the Domain Admin group only but I can see the option to

> >> > select

> >> > Enterprise Root or Enterprise Sub. Could I be seeing it becuase the

> >> > Domain

> >> > Admins group is a member of the Administrators group in Active

> >> > Directory?

> >> >

> >> >

> >> > "Paul Adare - MVP" wrote:

> >> >

> >> >> On Mon, 1 Sep 2008 20:01:01 -0700, Gunna wrote:

> >> >>

> >> >> > I have an issue in Production im trying to solve so I decided to

> >> >> > replicate

> >> >> > the setup using Virtual PC. I have my DC up and running, then I

> >> >> > setup

> >> >> > a

> >> >> > member Server running 2003 Server Standard with SP2, this is going

> >> >> > to

> >> >> > be my

> >> >> > replica standalone root CA.

> >> >> >

> >> >> > The strange thing I get is when I go to setup Certificate services

> >> >> > the

> >> >> > options for Enterprise CA and Enterpriose subordinate are available

> >> >> > but

> >> >> > when

> >> >> > I set this up in production they where greyed out. I assumed they

> >> >> > where not

> >> >> > available becuase I was running Server standard but here in my lab I

> >> >> > isntalled Standard and the Enterprise options are available. As if

> >> >> > PKI

> >> >> > wasnt

> >> >> > confusing enough.

> >> >>

> >> >> The account you're logged in with needs to be an Enterprise Admin

> >> >> account.

> >> >>

> >> >> --

> >> >> Paul Adare

> >> >> MVP - Identity Lifecycle Manager

> >> >> http://www.identit.ca

> >> >> Your password is pitifully obvious.

> >> >>

> >> </span></span>

> </span>

Guest Gunna

Guest Gunna

Posted
Posted

Brian,

 

Looks like i answered my own question. I created a user, added it to Domain

Admins, took Domain Admins out of the Administrators group. Logged onto the

server to install Cert services but still got Enterprise and Standalone. I

cannot see how or where im getting the Enterprise Admin access you say i am

getting. Im happy to accept thats what happening but I have to see how\where

im getting this Enterprise rights.

 

"Brian Komar (MVP)" wrote:

<span style="color:blue">

> Sigh...

> The account you used was in the Enterprise Admins group. End of story.

> How many domains in your forest? My guess is one.

> Brian

>

> "Gunna" <Gunna@discussions.microsoft.com> wrote in message

> news:4FC918AB-8D77-4AB7-B879-301CCC6355B7@microsoft.com...<span style="color:green">

> > Brian,

> >

> > Found some conflicting things. Firstly as you have already said you need

> > to

> > be an Enterprise admin to install an Enterprise Root CA and if you refer

> > to

> > this article http://technet.microsoft.com/en-us/library/cc776709.aspx is

> > says

> > the same.

> >

> > However,

> >

> > I just built a new environment. Standard Server 2003 SP2 domain

> > controller

> > and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd

> > machine

> > as a user with local admin to the second server only (only domain

> > membership

> > was Domain Users) and tried to install PKI and sure enough I only got the

> > Standalone options. I stopped the install and then logged on using an

> > account i created and placed only in the Domain Users and Domain Admins

> > groups. Then started to install Certificate services and I got both the

> > Enterprise and Standalone options. I then installed it completely as

> > Enterprise Root CA as a Domain Admin only with no visible errors or

> > issues.

> > So what is the Enterprise Admin requriment for?

> >

> > "Brian Komar (MVP)" wrote:

> ><span style="color:darkred">

> >> Gunna,

> >> In your test environment, the account is a member of the Enterprise

> >> Admins

> >> group (either directly or through a group nesting).

> >> - You can run an enterprise CA on the Standard, Enteprise, or Data Center

> >> edition SKUs

> >> - To get full functionality, you need to run on Enterprise or Data Center

> >> SKUs

> >> Full Functionality includes: issue certs on V2 cert templates, Key

> >> archival,

> >> Brian

> >>

> >> "Gunna" <Gunna@discussions.microsoft.com> wrote in message

> >> news:6F2DAA82-E6F9-41E6-B38B-0F5660C14C94@microsoft.com...

> >> > Thanks Paul but im afraid i am just more confused. Can you answer a

> >> > question

> >> > for me becuase I read conflicting things. You can or cannot run

> >> > Enterprise

> >> > CA or Enterprise Sub on Standard edition? What the differnece between

> >> > running Enterprise on a standard servers versus Enteprise edition

> >> > server?

> >> >

> >> >

> >> > And further to my original post. I am logged onto the member server as

> >> > a

> >> > member of the Domain Admin group only but I can see the option to

> >> > select

> >> > Enterprise Root or Enterprise Sub. Could I be seeing it becuase the

> >> > Domain

> >> > Admins group is a member of the Administrators group in Active

> >> > Directory?

> >> >

> >> >

> >> > "Paul Adare - MVP" wrote:

> >> >

> >> >> On Mon, 1 Sep 2008 20:01:01 -0700, Gunna wrote:

> >> >>

> >> >> > I have an issue in Production im trying to solve so I decided to

> >> >> > replicate

> >> >> > the setup using Virtual PC. I have my DC up and running, then I

> >> >> > setup

> >> >> > a

> >> >> > member Server running 2003 Server Standard with SP2, this is going

> >> >> > to

> >> >> > be my

> >> >> > replica standalone root CA.

> >> >> >

> >> >> > The strange thing I get is when I go to setup Certificate services

> >> >> > the

> >> >> > options for Enterprise CA and Enterpriose subordinate are available

> >> >> > but

> >> >> > when

> >> >> > I set this up in production they where greyed out. I assumed they

> >> >> > where not

> >> >> > available becuase I was running Server standard but here in my lab I

> >> >> > isntalled Standard and the Enterprise options are available. As if

> >> >> > PKI

> >> >> > wasnt

> >> >> > confusing enough.

> >> >>

> >> >> The account you're logged in with needs to be an Enterprise Admin

> >> >> account.

> >> >>

> >> >> --

> >> >> Paul Adare

> >> >> MVP - Identity Lifecycle Manager

> >> >> http://www.identit.ca

> >> >> Your password is pitifully obvious.

> >> >>

> >> </span></span>

> </span>

Guest Gunna

Guest Gunna

Posted
Posted

Thanks Paul,

 

Nice undocumented feature that. Might explain a few strange issues i noticed

in AD. I'll just accept that since it works in my environment style_emoticons/

 

"Paul Adare - MVP" wrote:

<span style="color:blue">

> On Wed, 3 Sep 2008 22:36:06 -0700, Gunna wrote:

> <span style="color:green">

> > I just built a new environment. Standard Server 2003 SP2 domain controller

> > and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd machine

> > as a user with local admin to the second server only (only domain membership

> > was Domain Users) and tried to install PKI and sure enough I only got the

> > Standalone options. I stopped the install and then logged on using an

> > account i created and placed only in the Domain Users and Domain Admins

> > groups. Then started to install Certificate services and I got both the

> > Enterprise and Standalone options. I then installed it completely as

> > Enterprise Root CA as a Domain Admin only with no visible errors or issues.

> > So what is the Enterprise Admin requriment for?</span>

>

> The Domain Admins group in a single domain forest, or in the root domain of

> a multi-domain forest have more powers than does the Domain Admins group in

> child domains. You're still better off getting in the habit of using

> Enterprise Admins as that group will always be able to install and

> Enterprise CA, regardless of the domain/forest structure.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> Compile: A heap of decomposing vegetable matter.

> </span>

Guest Alun Jones

Guest Alun Jones

Posted
Posted

Not undocumented -

http://www.microsoft.com/technet/prodtechn...d_ads_xsfl.mspx,

for instance, lists that the domain admins of the forest root domain are

able to make accounts members of the Enterprise Admins and Schema Admins

groups.

 

This is a natural consequence of having a forest root domain, whether it was

documented or not, so should come as no surprise - but it is documented.

 

Alun.

~~~~

--

Texas Imperial Software | Web: http://www.wftpd.com/

23921 57th Ave SE | Blog: http://msmvps.com/alunj/

Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

 

"Gunna" <Gunna@discussions.microsoft.com> wrote in message

news:BC1EEE48-7DB2-4582-8BE7-A19CD0FBF970@microsoft.com...<span style="color:blue">

> Thanks Paul,

>

> Nice undocumented feature that. Might explain a few strange issues i

> noticed

> in AD. I'll just accept that since it works in my environment style_emoticons/

>

> "Paul Adare - MVP" wrote:

><span style="color:green">

>> On Wed, 3 Sep 2008 22:36:06 -0700, Gunna wrote:

>><span style="color:darkred">

>> > I just built a new environment. Standard Server 2003 SP2 domain

>> > controller

>> > and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd

>> > machine

>> > as a user with local admin to the second server only (only domain

>> > membership

>> > was Domain Users) and tried to install PKI and sure enough I only got

>> > the

>> > Standalone options. I stopped the install and then logged on using an

>> > account i created and placed only in the Domain Users and Domain Admins

>> > groups. Then started to install Certificate services and I got both

>> > the

>> > Enterprise and Standalone options. I then installed it completely as

>> > Enterprise Root CA as a Domain Admin only with no visible errors or

>> > issues.

>> > So what is the Enterprise Admin requriment for?</span>

>>

>> The Domain Admins group in a single domain forest, or in the root domain

>> of

>> a multi-domain forest have more powers than does the Domain Admins group

>> in

>> child domains. You're still better off getting in the habit of using

>> Enterprise Admins as that group will always be able to install and

>> Enterprise CA, regardless of the domain/forest structure.

>>

>> --

>> Paul Adare

>> MVP - Identity Lifecycle Manager

>> http://www.identit.ca

>> Compile: A heap of decomposing vegetable matter.

>> </span></span>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...