Custom Template not listed on the Certification Authority 's Enable Certificate Templates

Hi ppl:

I'm having a bit of a problem with my Enterprise Certification Authority(CA). I was following the instructions found on:
http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm but I'm stuck on the part where I'm going to add the newly created template to the Certification Authority. When I do the "Certificate Template to issue" command that brings up the Enable Certificate Template dialog, the template is not there. I read that time must be allowed for the object to replicate through AD, I gave the server about 9 hours for it to replicate and still wasn't there. I also checked the domain replication with the ADSIEdit MMC Snap-in on the three DC's and the template was replicated as supposed. All DC's are Windows 2003 Server Standard Edition.

Pleaseeeeee?

Thanks,
Virgilio
vmelendezAsked:
Who is Participating?
 
ehammersleyConnect With a Mentor Commented:
Whew is right... the documentation is a circus.  Unless the whew was meant for me.  :-)

Basically the article from isasserver.org is walking you through configuring the certificate for autoenrollment.  The problem is that 2003 Standard CA only supports v1 certs, and v1 certs do NOT support autoenrollment.  Autoenrollment and autorenewal are new features of 2003, it wasn't possible to autoenroll user certificates in 2000 server, only computer and EFS.

Where the isaserver.org article fails in my opinion is that they do not tell you that what they are doing is only supported on Enterprise.

There is no way that I'm aware of to duplicate a v1 template in 2003 Standard and keep it at v1.  It's a pain but you will probably just have to manually issue certs for L2TP/IPSec.

Check out this link for more reading on v1 and v2 certs and 2003 Standard vs. Enterprise.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ctcon_concepts_using.asp
0
 
ehammersleyCommented:
When you duplicate the "User" template as per your doc it will create a v2 template for issue.  Windows 2003 Server Standard cannot and will not issue duplicated v2 certs.  That's why you don't see the template in the list for Certs to issue.  You can verify this by checking the Minimum Support CAs column in the Certificate Template snap-in, it will like Windows 2003 Server, Enterprise Edition.
0
 
ehammersleyCommented:
it will like... sorry about that.

Your newly created template will state Windows 2003 Server, Enterprise Edition in the Min. Supported CAs column.  I'm not sure what the point was of Microsoft limiting Standard edition like this but they did.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
vmelendezAuthor Commented:
Whew!!
Is there any way that I could replicate the User Template with lower Minimum Support CA's? (eg. Windows 2000)? I read that     " Although Version 2 templates can be created and duplicated in Windows Server 2003, Standard Edition, certificates based on Version 2 templates can only be issued by a certification authority running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition."


Right now, the certificate template shows a 101.1 with autoenroll capabilities, FYI

Thanks again
0
 
Blackduke77Commented:
ehammersley is correct on availible on enterprise edition I found out the hard way
0
 
Blackduke77Commented:
Version 2 certificate templatesWindows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, certification authorities support two types of certificate templates: version 1 and version 2. Version 2 templates are new to the Windows Server 2003 family. They allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration, and more can be added as necessary. This allows complete configuration flexibility for administrators.
Version 2 templates are only available as part of a certification authority that is installed as an enterprise certification authority. For that reason, they require Active Directory. Although Version 2 templates can be created and duplicated in the Windows Server 2003 family, certificates that are based on Version 2 templates can only be issued by a certification authority that is running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition.
0
 
Blackduke77Commented:
Can I ask why delete as there are two valid answers here !!!!, where both are correct
0
 
harleyjdCommented:
I am yet to recommend anything yet. The post is for you to suggest what you think is a valid answer. State your case, I will then make a recommendation and a mod will then action it.

Just saying "there are two valid answers" doesn't help me at all.

0
 
Blackduke77Commented:
Well in that case then ehammersley  was the first correct answer
0
 
harleyjdCommented:
thanks - in a few days I will make a formal recommendation, unless there are any other expert comments.

0
 
ehammersleyCommented:
I just re-read this myself and I agree with Blackduke77.  Thanks for speaking up on this BD77, I appreciate that.
0
 
Blackduke77Commented:
NP Glad to do my bit
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.