PKI Certificate Server Install in AD Empty Root Domain

Discussion in 'Windows Server' started by FastEddie, Jul 21, 2005.

  1. FastEddie

    FastEddie Guest

    Platform: Windows 2003 AD with an empty root

    We are installing an Enterprise CA in our Active Directory 2003 Forest. All
    our resources, users, and computers and effective GP settings are in a
    domain under the empty forest root domain.

    My questions:

    If I install the CA in the forest root, will the certificates and auto
    issuing of certificates work correctly in the other domains within the
    forest or should I install the Enterprise CA in the domain that houses all
    the resources, machines and users?

    Also, can I use this CA to issue certs in another Forest?


    Fast Eddie
    FastEddie, Jul 21, 2005
    1. Advertisements

  2. FastEddie

    Brian Komar Guest

    Answers inline:

    It really does not matter which domain you install the certificates in.
    Whichever domain you choose, you will have to do some additional work to
    issue certificates to other domains in the forest.
    1) Certificate templates. The default permissions will only include
    groups in the forest root domain. You must modify permissions for other
    domains to assign Read and Enroll perms (possibily autoenroll).
    2) Publication to AD to the userCertificate attribute. An enterprise CA
    by default can only publish certificates to user objects in the same
    domain. Follow the instructions in Q281271 "Windows 2000 CA Config. to
    Publish Certs in AD of Trusted Domain" to assign the correct perms to
    the Cert Publishers group to the other domains in the forest.
    No. A CA can only issue certs to users in the same forest. You can in
    some cases, if the subject is provided in the request, but what you may
    want to look at is a root that is not specific to either forest, and
    then subordinate CAs in each forest.
    Brian Komar, Jul 21, 2005
    1. Advertisements

  3. FastEddie

    FastEddie Guest

    Thanks. Just what I was looking for.


    FastEddie, Jul 21, 2005
  4. FastEddie

    FastEddie Guest

    Questions inline:

    So you are saying I could have a Ent CA in my forest root (forest A, Domain
    A) and a subordinate in my member domain (Forest A, Domain B) to auto issue
    certs for machines and accounts?

    Then also have a Subordinate CA in Forest B but not in the root domain, in a
    sub domain Forest B...?

    Both subordinates can auto issue certs for machines and accounts?
    FastEddie, Jul 21, 2005
  5. FastEddie

    Brian Komar Guest

    Not quite.
    A root CA in this scenario should be an offline CA (not a member of any
    forest and running as a standalone CA). Then place a subordinate
    enterprise CA in each forest to allow issuance of certificates to users,
    computers, and devices in the two forests.

    See the best practices white paper at:

    Brian Komar, Jul 22, 2005
  6. FastEddie

    Brian Komar Guest

    Although in an MS paper, this I have found is an over-simplification.
    Other factors can lead a company to placing the enterprise CA in a
    domain other than the forest root domain.
    - GPO deployment - If the GPO design is not well developed in the root
    domain (the empty root model), then it may be better from a security
    perspective to place the CA computer account in a non-root domain

    - Security policies for computer account placement in the root domain.
    Some organizations have policies that only root domain DCs will exist in
    the forest root domain. All application servers, including CAs must be
    in a child domain.

    To be honest, it really does not matter. Both solutions (forest root or
    not) can be secured.

    Brian Komar, Jul 22, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.