Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Problem with subordinate ca issuing Certs in Windows 2000 domain

Posted on 2003-11-27
6
Medium Priority
?
437 Views
Last Modified: 2013-12-04
Hi having a problem with my CA infrastructure...Parent-child domains, native mode. I placed the administrator of the child into the enterprise admin group in the parent. My DNS is not active directory intergrated (i dont think it makes a differencce however).

I created a Root CA on the DC in the parent domain, and a sub CA on the child DC. All was fine. AD was looking good. Both of course installed as enterprise CA's. Clients (other servers) begain to obtain certs. Parent clients had no problem, child clients got access denied. This was tried using the certsrv virtual directory and clients using Internet explorer.
0
Comment
Question by:lesmydad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 41

Expert Comment

by:graye
ID: 9863584
I'm not sure I understand...

You've created a Enterprise Root CA... and a Enterprise Subordinate CA.   I assume that you're issuing certification only from the Subordinate (Is that true?)  The certificate path is not "broken"... each certificate can "find it's way back" to the root.

At the certificate console (on the subordinate CA), you've selected the automatic feature for issuing certifcates?
0
 
LVL 1

Author Comment

by:lesmydad
ID: 9890313
isnt it automatic by def?
0
 
LVL 41

Expert Comment

by:graye
ID: 9893816
Autoenrollment is only available on Enterprise CA's if you use one of the certificate "templates"... nothing is automatic by default.

The idea is this... using a template (and granting appropriate users read access to that template) provides the Enterprise CA enough information (combined with the account data from the Active Directory) to issue a certificate.  That's why stand-alone CAs don't support autorenollement.. they don't have enough information on what the certificate is to be used for.  I presume you're also using the "web enrollement" feature?

I'm betting that the issue is something more simple... like a broken root.  The Enterprise root CA "points to itself" for it's authority (kinda strange when you think about it) so, it's path really can't be broken.  The Enterprise subordinate CA must be configured to point to the Enterprise root CA for it's authority. (Otherwise you've got a broken root).  

Remember too, that you can't rename the server after installing Certification Services...

Let's eliminate the simple stuff, before we get too deep.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 1

Author Comment

by:lesmydad
ID: 9906996
Thax so much for the help. Im testing it out on the Thursday 11th Dec with my class (Network Infrastructure would you believe!!!). The scenario is kind of the same but there is no child domain. I will build the child CA however. I am slightly confused over the use of AD here. I think I read that on a stand alone CA it does obviosly not use AD, but  a Stand Alone CA on a DC would infact make use of it if its available. This might sound strange but im sure i read it somewhere!!! I really need some good references. By the way I am using the /certsrv.

ps can you issue these user certs through a GPO? It seems you can with machine certs. Is this what client mappings are for?
0
 
LVL 41

Accepted Solution

by:
graye earned 1200 total points
ID: 9909040
First of all...it should have dawned me eariler...that you were issuing certificates from the root CA. Typically the root CA issues certificates to subordinate CA's only (unless you've only got one CA server )

You can use a GPO to setup a template...that will automatically issue certificates (kinda sorta the same thing)
0
 
LVL 1

Author Comment

by:lesmydad
ID: 9922137
I did get the chance to test a root-sub infrastructure using stand alones (on a single subnet) and root-sub infrastructure using enterprise CA's (on another subnet). Seemed ok. The only problem I found was that when machines acquired certs using the client cert mmc, 'request new cert' wizard, certs were being given by the enterprise root domain, not the subordinate.

If you could answer this one i would be grateful? I will post more when I get the chance to run the scenario again but next time use parent child domains across networkA--Router--networkB like in the question.
you get the points with gratitude from a tired out MCT
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question