Enterprise Subordinate CA

Posted on 2010-09-10
Last Modified: 2012-05-10

At Present we have Enterprise Root CA Server Installed on a DC1 having Standard Edition 2003 SP2.Since I am not able to use the Template Autoenrollment feature in Standard Addition OS ,I have Planned to Install Enterprise  Subordinate on DC2 which is Windows 2003 Enterprise Edition SP2.


1)Can I Install Enterprise Subordinate on Enterprise edition OS having Root CA on Standard Edition OS?

2)If Yes , Will this affect the Previously Issued Certificates issued by Root CA ?

3)Is is possible to Migrate the Root CA from Standard Edition OS which is a DC to Enterprise Edition OS which is also a another DC?

4)If Yes ,then whats the Step-by-Step procedure for Migration ?
Question by:AkashSarafZenith
  • 3
  • 2
LVL 31

Expert Comment

ID: 33650534
1) Yes, not a problem
2) No, you would just start issuing from the new subordinate but the root would still be valid and already deployed
3) Not really.  There are ways to migrate to another machine, but part of that process involves keeping the same hostname - if the hostname must change then you need to at least alias it so it will respond to the old name.  presuming you want to keep DC1 around for awhile you need to either start from scratch as a new root on DC2 or, as you proprosed above, make DC2 a new install but subordinate it under the existing root (which is my recommendation).
4) n/a

Side note - given the opportunity if you can install your CA somewhere other than on a DC that would be a good thing, preferably on a dedicated box (dedicated VM is fine).  Your CA should be the backbone of your security infrastructure and should be protected.

Author Comment

ID: 33652131
Thanks for your Response.I have on Last Question.

I have 3  DCs in My Domain DC1 ,DC2 and DC3.We want all the DCs to do LADAP the Query to eachother Via SSL Port 636.

Since My Enterprise Root CA is on DC1 which is  win2k3 Standard Edition ,Its not able to Autoenroll the Domain Controller Template on other DCs also it wont Issue the Version 2 Type Certificate since its a Standard Edition OS.

Now As per your Previous Post ,If I Install Subordinate Enterprise Root CA on DC2 which is Win2k3 Enterprise Edition.

1) Will It Autoenroll the Domain Controller Certificate Template to all the DCs OR we have to Issue it Manually?

2)If its Auto enrolled then Will All DCs Start Querying At port 636?

3)For Validation ...If i Logon to DC2 and Open LDP and Try to Establish connection to DC3 at port 636 will it establish the connection?

Similarly, for DC1 and Vice -versa.

Awaiting for your response
LVL 31

Accepted Solution

Paranormastic earned 500 total points
ID: 33664805
It doesn't matter if the root is on standard edition since you would be issuing autoenrollment, v2 templates, etc. from your subordinate on enterprise edition which does support these things.  usually you want the root offline for security reasons (usually installed as a standalone CA instead of enterprise CA, since is offline/off the domain), and your CA shouldn't be on a dc unless necessary, but other than that it sounds fine.

1) You can use autoenrollment fine from the enterprise subordinate on enterprise OS.  this should work for DC's, and whatever else.  if you have multiple child domains, you will need to add those to the security permissions of the template for read, enroll, autoenroll permissions.  you will need to issue the template to the sub CA.  since you're installing on a DC check the AD domain local security group 'CERTSRV_DCOM_ACCESS' for group membership for domain\domain computers, domain users, domain controllers for each of your child domains.  if not installing on a DC then this would be a local security group on the CA box instead.

2) if they have something that will check port 636 then yes.  If you didn't configure it that way then maybe - some applications will will check 636 first and if not responding then will check 389, but generally most will just check 389 instead of waiting a couple minutes for 636 to timeout - you probably need to look into updating the configuration for whatever you are hoping to acheive out of this.

3) It should - qualifying this by stating that you may need to update LDP to a version that has the SSL checkbox in the connect to box and that you generally know what you are doing when querying LDAP as far as binding your credentials, addressing, etc.

Author Closing Comment

ID: 33666752
Slow response and found Little confusing
LVL 31

Expert Comment

ID: 33666934
what are you confused about?  if you're confused still then why did you accept an answer instead of asking for more clarification?

also, as far as slow response - please do remember that I post out of my own good will and for no other reason - I do not get paid or anything for doing this (okay I get a T-shirt every now and then).  I posted on friday and again on monday - sorry I don't live on EE to check posts over the weekend.  sometimes I can check every day, other times i'm busy at my real job that i do get paid for any it may take a few days before i can log in again.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn about cloud computing and its benefits for small business owners.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question