PKI in a Single Forest with Multiple Domains
hi,
i have question regarding template permissions in single forest multiple domains (common root country specific child domains).
i need implement pki solution (preferably standalaone root ca & enterprise subordinate issuing ca) use in only one of country domains without impacting rest of forest , other country domains.
i have lab-ed environment , have discovered permissions on security templates in cn=certificate templates,cn=public key services,cn=services,cd=configuration,dc=root_domain,dc=lan either authenticated users or root_domain.lan\global groups. users , machines in country.root_domain.lan\global groups.
(these permissions appear on most pki specific containers)
the enterprise ca was installed user logged in root_domain with local administrator, (root) domain admin & enterprise admin permissions.
is usual behaviour permissions of certificate templates container?
how set required permissions domain members enroll templates?
can ensure members of country domain receive certicates issuing ca?
as no other dcs in forest need certificates ca can stop them autoenrolling domaincontroller certificate?
apologies rather long post, can't find documentation targets type of environment.
regards
shaun
i have question regarding template permissions in single forest multiple domains (common root country specific child domains).
i need implement pki solution (preferably standalaone root ca & enterprise subordinate issuing ca) use in only one of country domains without impacting rest of forest , other country domains.
i have lab-ed environment , have discovered permissions on security templates in cn=certificate templates,cn=public key services,cn=services,cd=configuration,dc=root_domain,dc=lan either authenticated users or root_domain.lan\global groups. users , machines in country.root_domain.lan\global groups.
(these permissions appear on most pki specific containers)
the enterprise ca was installed user logged in root_domain with local administrator, (root) domain admin & enterprise admin permissions.
is usual behaviour permissions of certificate templates container?
how set required permissions domain members enroll templates?
can ensure members of country domain receive certicates issuing ca?
as no other dcs in forest need certificates ca can stop them autoenrolling domaincontroller certificate?
apologies rather long post, can't find documentation targets type of environment.
regards
shaun
hi shaun,
the pki service per definition "forest ressource", forest root domain groups given these permissions. however, not prevent limiting certiificate enrollment 1 domain:
options set permissions:
1) can , should change permissions on templates want use - replace root domain group child domain group. right-click template , change enroll (and autoenroll) permission.
2) can set permissions on ca enrollment service - properties of ca in ca mmc, security. preferred way limit enrollment permissions entities 1 domain grant request certificates permission domain users, not to authenticated users.
besides have publish template ca. if not publish template, no client able enroll. aware of dc templates - dcs domains enroll automaticall unless remove template after setup of w2k3 ca. w2k8 allow pre-configure ca without template published (using capolicy.inf file on setup.
then group enterprise domain controllers has replaced <child domain>\domain controllers , template can published again.
br,
elke
the pki service per definition "forest ressource", forest root domain groups given these permissions. however, not prevent limiting certiificate enrollment 1 domain:
options set permissions:
1) can , should change permissions on templates want use - replace root domain group child domain group. right-click template , change enroll (and autoenroll) permission.
2) can set permissions on ca enrollment service - properties of ca in ca mmc, security. preferred way limit enrollment permissions entities 1 domain grant request certificates permission domain users, not to authenticated users.
besides have publish template ca. if not publish template, no client able enroll. aware of dc templates - dcs domains enroll automaticall unless remove template after setup of w2k3 ca. w2k8 allow pre-configure ca without template published (using capolicy.inf file on setup.
then group enterprise domain controllers has replaced <child domain>\domain controllers , template can published again.
br,
elke
Windows Server > Security
Comments
Post a Comment