Hello, In my lab I have CA hierarchy which looks like that: Enterprise CA ----- Office 1 | | SubEnterprise CA ----- Office 2 Enterprise CA is on a Domain Controller. There are two user groups: Office1 and Office2. On DC there is a GPO for user cert auto-enrollment. On Enterprise CA there is a duplicated user certificate template for Office 1's user group, and on SubEnterprise CA there is a duplicated user certificate template for Office 2's user group. And that works fine. I have a question related to computers and ipSec certificates. On DC there is configuration for auto-enrollment computers and IpSec enabled. Every computer, even from Office 2 is given computer and ipsec cerificate from Enterprise CA, not from SubEnterprise CA. It is rather obvious but is it possible to change the situation that PCs from Office are given certificate from SubEnterprise CA. I think then I should create group for Office 1 computers and group for Office 2 computers and create proper cert templates on Enterprise and SubEnterprise CA for computer and ipsec. OK, but what will happen if new computer is connected to Office 1 or 2. It will not be given a certificate right? Administrator will have to make this computer member of a group, then user should restart the computer to get certificate automatically. Is it only one possible way? It's complicated. Auto-enrollment in this case is more complex than requesting certificate manually... Best,

On Sat, 27 Nov 2010 11:24:26 +0000, ambitiousBeginner wrote: In my lab I have CA hierarchy which looks like that: Enterprise CA ----- Office 1 | | SubEnterprise CA ----- Office 2 Enterprise CA is on a Domain Controller. There are two user groups: Office1 and Office2. On DC there is a GPO for user cert?auto-enrollment. On Enterprise CA there is a duplicated user certificate template for Office 1's user group, and on SubEnterprise CA there is a duplicated user certificate template for Office 2's user group. And that works fine. I have a question related to computers and ipSec certificates. On DC there is configuration for auto-enrollment computers and IpSec enabled. Every computer, even from Office 2 is given computer and ipsec cerificate from Enterprise CA, not from SubEnterprise CA. It is rather obvious but is it possible to change the situation that PCs from Office are given certificate from SubEnterprise CA. I think then I should create group for Office 1 computers and group for Office 2 computers and create proper cert templates on Enterprise and SubEnterprise CA for computer and ipsec. OK, but what will happen if new computer is connected to Office 1 or 2. It will not be given a certificate right? Administrator will have to make this computer member of a group, then user should restart the computer to get certificate automatically. Is it only one possible way? It's complicated. Auto-enrollment in this case is more complex than requesting certificate manually... 1. It is never a good idea from a security perspective to be running a CA on your DC. There are a number of other reasons why this isn't a good idea including the fact that you can't remove or rename that DC. 2. Why do you care where your computers get IPSec certs from? It really doesn't matter. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca