PKI- Need HELP getting new CA published in enrollment services container

-

how publish enterprise subordinate certificate enrollment services container?  have machine in cert publishers group in ad , copied oid's , in aia , cdp containers, can't seem published in important container.  have resource forest , trying publish the account forest's containers.
thanks in advance! 

ok after few weeks of headaches figured out problem is.  should included in next cross-forest certification whitepaper no 1 else has deal.  anyway, when have windows 2008 enterprise ca in own forest , you're trying to use the cross-forest certificate enrollment  other forest's schema at windows 2003 level then autoenrollment work, cannot use of the new features of windows 2008 ca. 

basically when install certificate services on 2008 ca machine, not install of roles.  can install "certification authority" , "certification authority web enrollment" roles if want auto enrollment work.  reason because when try using pkisync.ps1 script provided microsoft copy objects resources forest account forest, error cannot copy object in enrollment services container if have other roles installed.  because when install other roles, ad object in enrollment services container has new attributes windows 2003 doesn't know with.  because of this, object not copy over.  autoenrollment not work in 2003 forest if object not copied over.

once upgrade schema windows 2008, the available roles can be installed , configured , able use the new features of windows 2008 ca in cross forest pki environment. 

note if you need have role services installed, web enrollment in account forest work fine.  also, if have 2-tier pki structure , have all of roles installed, can keep the resource forest way , install 2008 member server in account forest based on root ca.  once upgrade schema 2008, can decommission ca in account forest , use pkisync script to copy objects from resource forest account forest and the enterprise ca in resource forest will work should.   

if have installed roles , you're having issue, can uninstall new roles not supported 2003 schema , once use pkisync script , have group policy setting in place for users , computers autoenroll should start working should.  best of luck.    



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more