Enterprise Subordinate CA


At Present we have Enterprise Root CA Server Installed on a DC1 having Standard Edition 2003 SP2.Since I am not able to use the Template Autoenrollment feature in Standard Addition OS ,I have Planned to Install Enterprise  Subordinate on DC2 which is Windows 2003 Enterprise Edition SP2.


1)Can I Install Enterprise Subordinate on Enterprise edition OS having Root CA on Standard Edition OS?

2)If Yes , Will this affect the Previously Issued Certificates issued by Root CA ?

3)Is is possible to Migrate the Root CA from Standard Edition OS which is a DC to Enterprise Edition OS which is also a another DC?

4)If Yes ,then whats the Step-by-Step procedure for Migration ?
Who is Participating?
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
It doesn't matter if the root is on standard edition since you would be issuing autoenrollment, v2 templates, etc. from your subordinate on enterprise edition which does support these things.  usually you want the root offline for security reasons (usually installed as a standalone CA instead of enterprise CA, since is offline/off the domain), and your CA shouldn't be on a dc unless necessary, but other than that it sounds fine.

1) You can use autoenrollment fine from the enterprise subordinate on enterprise OS.  this should work for DC's, and whatever else.  if you have multiple child domains, you will need to add those to the security permissions of the template for read, enroll, autoenroll permissions.  you will need to issue the template to the sub CA.  since you're installing on a DC check the AD domain local security group 'CERTSRV_DCOM_ACCESS' for group membership for domain\domain computers, domain users, domain controllers for each of your child domains.  if not installing on a DC then this would be a local security group on the CA box instead.

2) if they have something that will check port 636 then yes.  If you didn't configure it that way then maybe - some applications will will check 636 first and if not responding then will check 389, but generally most will just check 389 instead of waiting a couple minutes for 636 to timeout - you probably need to look into updating the configuration for whatever you are hoping to acheive out of this.

3) It should - qualifying this by stating that you may need to update LDP to a version that has the SSL checkbox in the connect to box and that you generally know what you are doing when querying LDAP as far as binding your credentials, addressing, etc.
ParanormasticCryptographic EngineerCommented:
1) Yes, not a problem
2) No, you would just start issuing from the new subordinate but the root would still be valid and already deployed
3) Not really.  There are ways to migrate to another machine, but part of that process involves keeping the same hostname - if the hostname must change then you need to at least alias it so it will respond to the old name.  presuming you want to keep DC1 around for awhile you need to either start from scratch as a new root on DC2 or, as you proprosed above, make DC2 a new install but subordinate it under the existing root (which is my recommendation).
4) n/a

Side note - given the opportunity if you can install your CA somewhere other than on a DC that would be a good thing, preferably on a dedicated box (dedicated VM is fine).  Your CA should be the backbone of your security infrastructure and should be protected.
AkashSarafZenithAuthor Commented:
Thanks for your Response.I have on Last Question.

I have 3  DCs in My Domain DC1 ,DC2 and DC3.We want all the DCs to do LADAP the Query to eachother Via SSL Port 636.

Since My Enterprise Root CA is on DC1 which is  win2k3 Standard Edition ,Its not able to Autoenroll the Domain Controller Template on other DCs also it wont Issue the Version 2 Type Certificate since its a Standard Edition OS.

Now As per your Previous Post ,If I Install Subordinate Enterprise Root CA on DC2 which is Win2k3 Enterprise Edition.

1) Will It Autoenroll the Domain Controller Certificate Template to all the DCs OR we have to Issue it Manually?

2)If its Auto enrolled then Will All DCs Start Querying At port 636?

3)For Validation ...If i Logon to DC2 and Open LDP and Try to Establish connection to DC3 at port 636 will it establish the connection?

Similarly, for DC1 and Vice -versa.

Awaiting for your response
AkashSarafZenithAuthor Commented:
Slow response and found Little confusing
ParanormasticCryptographic EngineerCommented:
what are you confused about?  if you're confused still then why did you accept an answer instead of asking for more clarification?

also, as far as slow response - please do remember that I post out of my own good will and for no other reason - I do not get paid or anything for doing this (okay I get a T-shirt every now and then).  I posted on friday and again on monday - sorry I don't live on EE to check posts over the weekend.  sometimes I can check every day, other times i'm busy at my real job that i do get paid for any it may take a few days before i can log in again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.