Folks,I want to implement two form authentication for VPN in my domain. I went down the path of setting up autoenrollment for my CA to find out latter that you need enterprize for auto enrollmentto work.Upgrading to enterprize may still be on the table but we have a 2008 enterprize server that we are using for testing. This server will eventually make it into production.Can I just add the 2008 has a subordinate CA and make the 2008 server take on the roll of autoenrollment? I went though the role setup and it all seem feasible, but we want to change the name of the 2008 before we proceed.

By "Enterprise" are you taking about the version of the OS or the type of CA deployment? The terms can be confusing as you can have a Standalone CA deployed using either Windows Server Standard/Enterprise or an AD-integrated Enterprise CA deployment using either version as well. What is your current configuration?Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS

Hi, It is right of you to rename the Windows 2008 server before installing Certificate Authority. We generally cannot rename it after CA installed or all certificates it has issued would be invalided. I suggest you uninstall the original CA of Windows 2008. After that, rename the server and join it in Domain to setup CA. Please note, Autoenrollment doesnt only require Enterprise root Certificate Authority, Windows Server 2003, Enterprise Edition, or higher is required to configure version 2 certificate templates for autoenrollment requests. For more information, please refer to the following article: Checklist: Configuring certificate autoenrollment http://technet.microsoft.com/en-us/library/cc773385.aspx How Autoenrollment Works http://technet.microsoft.com/en-us/library/cc787781.aspx If Autoenrollment cannot work, please let us know the detailed symptom. If there is any error, a screenshot is helpful. Thanks

Jeff, I basically understand entrerprise CA to be a CA that is linked to AD, and a standalone CA to not be assocatied to AD.In my senario I have Active Directory and on on my Domain Ccontroller is the CA making it an enterprise CA, correct?Mervyn,With regards to installing the CA on the 2008 server I did not go though withit because of the name issue.I intend on using the server 2008 enterprise to meet the requirments for autoenrollment.I guess my main question is " can I add server 2008 enterprise to my domain (not as a DC) and use it to autoenroll machine certificates?"

Hi, The answer to your question is Yes. It is suggested to create a subordinate CA to issue certificates. We can find the following information from: Certificate Services Best practices: Keep the root certification authority offline and secure its signing key by hardware and keep it in a vault to minimize potential for key compromise For more information, see Checklist: Creating a certification hierarchy with an offline root certification authority. Thanks