royatnts
asked on
AutoEnrollment group policy is not enabled
Hello. I'm not an expert when it comes to certificates, getting a non-compliance warning to the BPA for AD CS. Details are;
Title:
User autoenrollment group policy is not enabled
Severity:Warning
Date:
3/16/2014 2:48:19 PM
Category:
Configuration
Issue:
This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled.
Impact:
An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected.
Resolution:
If user autoenrollment is desired, use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate templates.
More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=122630
I have followed the instructions in the link above to enable, but if I run a new scan, the BPA warning still exists. And if I view the Default Domain Policy details, it shows it's enabled.
How can I resolve this?
Title:
User autoenrollment group policy is not enabled
Severity:Warning
Date:
3/16/2014 2:48:19 PM
Category:
Configuration
Issue:
This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled.
Impact:
An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected.
Resolution:
If user autoenrollment is desired, use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate templates.
More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=122630
I have followed the instructions in the link above to enable, but if I run a new scan, the BPA warning still exists. And if I view the Default Domain Policy details, it shows it's enabled.
How can I resolve this?
Remove CA options from your server
Remove CA options from your server. I would never use my server as a CA. Just buy a cert, its cheap or use an automatically generated certificate
ASKER
Thanks for your reply. Can you be more specific? Do you mean to remove the AD CA role? I'm not sure why it is there. installed years ago, but also am not sure of the impact this will cause, if any.
I checked and there is a 3rd party cert installed in the exchange server for SSL. However I thought this cert was just for exchange. Are the other remote connection services (OWA, RWA, IIS, Outlook Anywhere, Autodiscover etc) using it as well?
I checked and there is a 3rd party cert installed in the exchange server for SSL. However I thought this cert was just for exchange. Are the other remote connection services (OWA, RWA, IIS, Outlook Anywhere, Autodiscover etc) using it as well?
The third party cert is what you need installed for all roles (if required).
I don't know why you'd have your own CA.
I don't know why you'd have your own CA.
ASKER
Thanks again. I'm not sure why the CA is installed either. Maybe the intent was insure remote clients were using (enrolling) the self signed cert, and or possible before the 3rd party cert was purchased.
I have checked the private 3rd party cert using Exchange Mgmt Console/Exchange Certificates and it has IMAP, POP, SMTP & IIS applied to it, still valid for another year.
Getting back to your comment to remove the CA options. Would I simply do the "Remove Role Service" under Server Manage/Certificate Authority Options and walk through the wizard?
Also, what impact could I expect now that this service has been running for years?
BTW- The CA is the only option installed within AD CS, so is it safe to remove the entire AD CS role? And if this applies, what impact could I expect for this?
Thanks in advance.
I have checked the private 3rd party cert using Exchange Mgmt Console/Exchange Certificates and it has IMAP, POP, SMTP & IIS applied to it, still valid for another year.
Getting back to your comment to remove the CA options. Would I simply do the "Remove Role Service" under Server Manage/Certificate Authority Options and walk through the wizard?
Also, what impact could I expect now that this service has been running for years?
BTW- The CA is the only option installed within AD CS, so is it safe to remove the entire AD CS role? And if this applies, what impact could I expect for this?
Thanks in advance.
For a self signed cert, you don't need the CA installed :)
If you remind me in 10 hours, and give me the exact version of OS (incl SP) I can check why it was installed (whether it was automatic).
And yes, removing is literally, remove the role.
As far as the removal goes, take a backup of your private and public keys from the CA.
If you remind me in 10 hours, and give me the exact version of OS (incl SP) I can check why it was installed (whether it was automatic).
And yes, removing is literally, remove the role.
As far as the removal goes, take a backup of your private and public keys from the CA.
ASKER
Thanks again - here is your reminder. BTW, I'm all for removing anything that isn't needed,,,keeping management and operations as simple as possible.
Server Info......
Windows Small Business Server 2011 SP1
Rolls: AD CS using only AD CA option
AD DS
Application Server
DHCP Server
DNS Server
File Server
Network Policy & Access Server
Remote Desktop Server
Web Server (IIS)
w/ Exchange Server 2010 Version: 14.01.0218.013
In server manager, under the Enterprise PKI, I have one entry for the <domainname-machinename-CA >
In server manager, under the entry for the <domainname-machinename-CA > lists;
Revoked Certificates - none
Issued Certificates - about 30 in list
Pending Requests - none
Failed Requests - none
Certificate Templates - 12
I did a right-click of the CA above and performed a "Backup CA" task.
Again, I'm not an expert when it comes to certificates and how they've been issued for user, workstation and domain connections of this client. We need to make sure that by removing the CA will not break anything (local and/or remote connections) either immediately or whenever any issued certs expire. I'm concerned of the impact of doing this is a production environment. Would it be safer to just shut down the AD CS service and see what happens?
Server Info......
Windows Small Business Server 2011 SP1
Rolls: AD CS using only AD CA option
AD DS
Application Server
DHCP Server
DNS Server
File Server
Network Policy & Access Server
Remote Desktop Server
Web Server (IIS)
w/ Exchange Server 2010 Version: 14.01.0218.013
In server manager, under the Enterprise PKI, I have one entry for the <domainname-machinename-CA
In server manager, under the entry for the <domainname-machinename-CA
Revoked Certificates - none
Issued Certificates - about 30 in list
Pending Requests - none
Failed Requests - none
Certificate Templates - 12
I did a right-click of the CA above and performed a "Backup CA" task.
Again, I'm not an expert when it comes to certificates and how they've been issued for user, workstation and domain connections of this client. We need to make sure that by removing the CA will not break anything (local and/or remote connections) either immediately or whenever any issued certs expire. I'm concerned of the impact of doing this is a production environment. Would it be safer to just shut down the AD CS service and see what happens?
Apologies for the delay in coming back to you. Been manic at work!
I did check and Active Directory Certificate Services is installed on the server. Don't remove the feature please.
http://technet.microsoft.com/en-us/library/dd379539(v=ws.10).aspx - has the solution for your problem
I did check and Active Directory Certificate Services is installed on the server. Don't remove the feature please.
http://technet.microsoft.com/en-us/library/dd379539(v=ws.10).aspx - has the solution for your problem
ASKER
Imtiaz,
I believe we are back to square one. Please see the top of this article. That Microsoft solution is where I started. I was hoping you could shed some light on why it did not work.
I believe we are back to square one. Please see the top of this article. That Microsoft solution is where I started. I was hoping you could shed some light on why it did not work.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for royatnts's comment #a39950840
for the following reason:
Since no one is responding, I'm considering this topic closed. There really wasn't a solution posted, however credit is given for some useful info I received.
Accepted answer: 0 points for royatnts's comment #a39950840
for the following reason:
Since no one is responding, I'm considering this topic closed. There really wasn't a solution posted, however credit is given for some useful info I received.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.