Solved

Enterprise Subordinate CA

Posted on 2010-09-10
7
1,040 Views
Last Modified: 2012-05-10
Hi,

At Present we have Enterprise Root CA Server Installed on a DC1 having Standard Edition 2003 SP2.Since I am not able to use the Template Autoenrollment feature in Standard Addition OS ,I have Planned to Install Enterprise  Subordinate on DC2 which is Windows 2003 Enterprise Edition SP2.

Questions:-

1)Can I Install Enterprise Subordinate on Enterprise edition OS having Root CA on Standard Edition OS?

2)If Yes , Will this affect the Previously Issued Certificates issued by Root CA ?

3)Is is possible to Migrate the Root CA from Standard Edition OS which is a DC to Enterprise Edition OS which is also a another DC?

4)If Yes ,then whats the Step-by-Step procedure for Migration ?
0
Comment
Question by:AkashSarafZenith
  • 3
  • 2
7 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 33650534
1) Yes, not a problem
2) No, you would just start issuing from the new subordinate but the root would still be valid and already deployed
3) Not really.  There are ways to migrate to another machine, but part of that process involves keeping the same hostname - if the hostname must change then you need to at least alias it so it will respond to the old name.  presuming you want to keep DC1 around for awhile you need to either start from scratch as a new root on DC2 or, as you proprosed above, make DC2 a new install but subordinate it under the existing root (which is my recommendation).
4) n/a

Side note - given the opportunity if you can install your CA somewhere other than on a DC that would be a good thing, preferably on a dedicated box (dedicated VM is fine).  Your CA should be the backbone of your security infrastructure and should be protected.
0
 
LVL 1

Author Comment

by:AkashSarafZenith
ID: 33652131
Thanks for your Response.I have on Last Question.

I have 3  DCs in My Domain DC1 ,DC2 and DC3.We want all the DCs to do LADAP the Query to eachother Via SSL Port 636.

Since My Enterprise Root CA is on DC1 which is  win2k3 Standard Edition ,Its not able to Autoenroll the Domain Controller Template on other DCs also it wont Issue the Version 2 Type Certificate since its a Standard Edition OS.

Now As per your Previous Post ,If I Install Subordinate Enterprise Root CA on DC2 which is Win2k3 Enterprise Edition.

1) Will It Autoenroll the Domain Controller Certificate Template to all the DCs OR we have to Issue it Manually?

2)If its Auto enrolled then Will All DCs Start Querying At port 636?

3)For Validation ...If i Logon to DC2 and Open LDP and Try to Establish connection to DC3 at port 636 will it establish the connection?

Similarly, for DC1 and Vice -versa.

Awaiting for your response
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 33664805
It doesn't matter if the root is on standard edition since you would be issuing autoenrollment, v2 templates, etc. from your subordinate on enterprise edition which does support these things.  usually you want the root offline for security reasons (usually installed as a standalone CA instead of enterprise CA, since is offline/off the domain), and your CA shouldn't be on a dc unless necessary, but other than that it sounds fine.

1) You can use autoenrollment fine from the enterprise subordinate on enterprise OS.  this should work for DC's, and whatever else.  if you have multiple child domains, you will need to add those to the security permissions of the template for read, enroll, autoenroll permissions.  you will need to issue the template to the sub CA.  since you're installing on a DC check the AD domain local security group 'CERTSRV_DCOM_ACCESS' for group membership for domain\domain computers, domain users, domain controllers for each of your child domains.  if not installing on a DC then this would be a local security group on the CA box instead.

2) if they have something that will check port 636 then yes.  If you didn't configure it that way then maybe - some applications will will check 636 first and if not responding then will check 389, but generally most will just check 389 instead of waiting a couple minutes for 636 to timeout - you probably need to look into updating the configuration for whatever you are hoping to acheive out of this.

3) It should - qualifying this by stating that you may need to update LDP to a version that has the SSL checkbox in the connect to box and that you generally know what you are doing when querying LDAP as far as binding your credentials, addressing, etc.
0
 
LVL 1

Author Closing Comment

by:AkashSarafZenith
ID: 33666752
Slow response and found Little confusing
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 33666934
what are you confused about?  if you're confused still then why did you accept an answer instead of asking for more clarification?

also, as far as slow response - please do remember that I post out of my own good will and for no other reason - I do not get paid or anything for doing this (okay I get a T-shirt every now and then).  I posted on friday and again on monday - sorry I don't live on EE to check posts over the weekend.  sometimes I can check every day, other times i'm busy at my real job that i do get paid for any it may take a few days before i can log in again.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now