I am confused on a number of points for auto-enrollment and I am hoping someone can clarify. CA: Windows 2008 Standard Domain: 2003 Mode Clients : xp + On the client site I understand that I need the Group Policy Set for auto enrollment and have done so for a test OU. On my Enterprise CA I have the Computer Cert Template under Certificate Templates... Now if I understand correctly the default template would be considered v1 correct? Do I need to make a copy of that template, to make a v2 template? What do I name it, what additional parameters do I need to have set? My main objective it to deploy computer certificates so that I can move SCCM into native mode. Edit:Corrected Server Edition

There are two different ways to deploy certificates for computer accounts in your scenario:1) ACRS - uses only V1 certificate templates, so your only choice is the Computer certificate template. This will deploy automatically to Win2k + (not really relevant for your deployment)2) Autoenrollment. This requires a mix of V2 certificate templates (custom or Workstation authentication will work in your case. You can name your V2 absolutely anything). This also requires GPO and correct permission assignmentsDetails are in the following whitepaper (even though the CA is R2)Make sure you use a Windows SErver 2003 template (not a 2008 template) if you do custom since you are running XP clientshttp://technet.microsoft.com/en-us/library/cc778954(WS.10).aspxBrian

I have created my Custom Template from the original Computer Template and marked it for Read, Enroll, AutoEnroll for Domain computers as well as marked it to be published in AD. I have also forced replication and checked each DC with the Templates Snap-in to see that it has replicated. However, I am not able to See it in the list when I go New->Certificate Template to Issue In the Certificate Server Snap-in. What am I missing?

If you read the link, there are several possibilities:1) Did you enable Autoenrollment Settings group policy for the computers2) Did you enable the two check boxes required in the Group Policy settings3) If you have more than one domain, did you add the correct domain's Domain Computers groupBrian

??? I am not able to see my template in the list when I go New->Certificate Template to Issue In the Certificate Server Snap-in. This is the step BEFORE applying the GP.

Well, it must be available for enrollment (of course)Since you are running 2008 R2 as the CA, you can use Standard, Enterprise or Data Center SKUsIt could be a replication issue, sometimes you have to wait about 30 mins before it is available for enrollment publicationBrian

I forced replication, as well many hours have passed. Correction It is 2008 Standard not R2 as I had originally thought. This may be my problem as according to this http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx Standard can only handle V1 Certs, you need enterprise or data-center for V2 certs.

Yanked this out of the help file.. looks like the ALL editions support was new to R2. So what are my options here? Is it possible to RE-KEY to Enterprise Edition (I think we have a spare partner key) or in place upgrade to R2? Version 2 certificate templates Version 2 certificate templates were introduced in Windows Server 2003 and can be configured by an administrator to control the way certificates are requested, issued, and used. Version 2 templates provide support for certificate autoenrollment. Enrollment options Automatic enrollment Autoenrollment in Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP Professional Custom scripts Manual enrollment Certificate Enrollment Wizard CA Web enrollment pages Template availability Windows Server 2008 R2, all editions Windows Server 2008, Enterprise and Datacenter editions Windows Server 2003 R2, Enterprise and Datacenter editions Windows Server 2003, Enterprise and Datacenter editions

You can do an inplace upgrade to either 2008 Enterprise Edition or to 2008 R2 Standard EditionA lot of this depends on your architecture.If 32-bit, then stick with 2008If 64-bit, I would personally go to Server 2008 R2 Brian

The other trick is that this box is also currently a DC.. I guess I will have to go through both the CA and DC upgrade guides to see how this will impact my environment as I would hate to have to do another schema update among the other upgrades on the go. The server is already 64-bit so R2 seems like the best choice given software assurance to stay on standard edition, I am just not sure my environment is ready for R2.

If you want to get rid of future headaches, and yes you are going to have them in your current environment...Never install a CA on a DC.Uninstall the CAInstall on a new box running R2.Brian

Well digging through the 2008 R2 docs it appears that absolutely you need to be running Enterprise or Data-center to Auto-enroll, you can not use 2008 R2 Standard Edition. http://technet.microsoft.com/en-us/library/ee407543(WS.10).aspx "To perform autoenrollment of client computer and user certificates, your CA must be running the Windows Server 2008 or Windows Server 2008 R2 Enterprise operating system or the Windows Server 2008 or Windows Server 2008 R2 Datacenter operating system and must be an issuing CA. Although AD CS can be deployed on a single server, many deployments use multiple servers configured as CAs."

This contradicts the deployment document, so I have no clue what is correct. http://technet.microsoft.com/en-us/magazine/2009.05.pki.aspx?pr=blog Improved Existing Scenarios Windows 7 and R2 include a number of incremental improvements to existing features. First is a change to SKU differentiation for Certificate Templates. In prior releases of AD CS, advanced (version 2 and 3) Certificate Templates that enable the autoenrollment functionality required Enterprise edition CAs. In Windows Server 2008 R2, a Standard edition CA will support all template versions. R2 also introduces some improvements to the Simple Certificate Enrollment Protocol support. In R2, the SCEP component will support device renewal requests and password reuse.

If you are running Windows Server 2008 R2 as your CA, then you can use the Standard SKU to deploy certificates based on V2 and V3 certificate templates.As it says in your last post, ADCS prior to 2008 R2 requires Enterprise or Data Center SKUsBrian

Well then I am stumped, I now have a Windows Server 2008 R2 CA, I customize a template and select the auto-enroll permission for domain computers and select 2003 for compatibility. I then go and right click on Certificate Templates->New->Certificate Template to Issue and my custom template does not appear.

http://support.microsoft.com/kb/967332 V2 and V3 templates are not available if an inplace upgrade was performed from a Windows Server 2003 or 2008 Certification Authority (CA) to a Windows Server 2008 enterprise CA. BINGO!