Enterprise Subordinate CA

Posted on 2010-09-10
Last Modified: 2012-05-10

At Present we have Enterprise Root CA Server Installed on a DC1 having Standard Edition 2003 SP2.Since I am not able to use the Template Autoenrollment feature in Standard Addition OS ,I have Planned to Install Enterprise  Subordinate on DC2 which is Windows 2003 Enterprise Edition SP2.


1)Can I Install Enterprise Subordinate on Enterprise edition OS having Root CA on Standard Edition OS?

2)If Yes , Will this affect the Previously Issued Certificates issued by Root CA ?

3)Is is possible to Migrate the Root CA from Standard Edition OS which is a DC to Enterprise Edition OS which is also a another DC?

4)If Yes ,then whats the Step-by-Step procedure for Migration ?
Question by:AkashSarafZenith
  • 3
  • 2
LVL 31

Expert Comment

ID: 33650534
1) Yes, not a problem
2) No, you would just start issuing from the new subordinate but the root would still be valid and already deployed
3) Not really.  There are ways to migrate to another machine, but part of that process involves keeping the same hostname - if the hostname must change then you need to at least alias it so it will respond to the old name.  presuming you want to keep DC1 around for awhile you need to either start from scratch as a new root on DC2 or, as you proprosed above, make DC2 a new install but subordinate it under the existing root (which is my recommendation).
4) n/a

Side note - given the opportunity if you can install your CA somewhere other than on a DC that would be a good thing, preferably on a dedicated box (dedicated VM is fine).  Your CA should be the backbone of your security infrastructure and should be protected.

Author Comment

ID: 33652131
Thanks for your Response.I have on Last Question.

I have 3  DCs in My Domain DC1 ,DC2 and DC3.We want all the DCs to do LADAP the Query to eachother Via SSL Port 636.

Since My Enterprise Root CA is on DC1 which is  win2k3 Standard Edition ,Its not able to Autoenroll the Domain Controller Template on other DCs also it wont Issue the Version 2 Type Certificate since its a Standard Edition OS.

Now As per your Previous Post ,If I Install Subordinate Enterprise Root CA on DC2 which is Win2k3 Enterprise Edition.

1) Will It Autoenroll the Domain Controller Certificate Template to all the DCs OR we have to Issue it Manually?

2)If its Auto enrolled then Will All DCs Start Querying At port 636?

3)For Validation ...If i Logon to DC2 and Open LDP and Try to Establish connection to DC3 at port 636 will it establish the connection?

Similarly, for DC1 and Vice -versa.

Awaiting for your response
LVL 31

Accepted Solution

Paranormastic earned 500 total points
ID: 33664805
It doesn't matter if the root is on standard edition since you would be issuing autoenrollment, v2 templates, etc. from your subordinate on enterprise edition which does support these things.  usually you want the root offline for security reasons (usually installed as a standalone CA instead of enterprise CA, since is offline/off the domain), and your CA shouldn't be on a dc unless necessary, but other than that it sounds fine.

1) You can use autoenrollment fine from the enterprise subordinate on enterprise OS.  this should work for DC's, and whatever else.  if you have multiple child domains, you will need to add those to the security permissions of the template for read, enroll, autoenroll permissions.  you will need to issue the template to the sub CA.  since you're installing on a DC check the AD domain local security group 'CERTSRV_DCOM_ACCESS' for group membership for domain\domain computers, domain users, domain controllers for each of your child domains.  if not installing on a DC then this would be a local security group on the CA box instead.

2) if they have something that will check port 636 then yes.  If you didn't configure it that way then maybe - some applications will will check 636 first and if not responding then will check 389, but generally most will just check 389 instead of waiting a couple minutes for 636 to timeout - you probably need to look into updating the configuration for whatever you are hoping to acheive out of this.

3) It should - qualifying this by stating that you may need to update LDP to a version that has the SSL checkbox in the connect to box and that you generally know what you are doing when querying LDAP as far as binding your credentials, addressing, etc.

Author Closing Comment

ID: 33666752
Slow response and found Little confusing
LVL 31

Expert Comment

ID: 33666934
what are you confused about?  if you're confused still then why did you accept an answer instead of asking for more clarification?

also, as far as slow response - please do remember that I post out of my own good will and for no other reason - I do not get paid or anything for doing this (okay I get a T-shirt every now and then).  I posted on friday and again on monday - sorry I don't live on EE to check posts over the weekend.  sometimes I can check every day, other times i'm busy at my real job that i do get paid for any it may take a few days before i can log in again.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now