I have a Windows 2003 Server with Active Directory and Certificate Authority and a Windows 2008 Server with Active Directory and Certificate Authority both with Enterprise Certificates setup that I use for testing. I would like to Turn off Certificates Authority on my 2003 Server by stopping Certificate Services so that I would only need one Certificate Authority. How could I use only my 2008 Certificate Authority and use it for my 2008 and 2003 Pilicies and Users in Active Directory. The reason I want to do this is because I have VM's with windows XP, 7 and Vista Users for my Users on Windows 2003 Servers and I don't want to make a seperate set of Windows VM's for my 2008 Server setup with different Certificate Authority. If I can use on setof VM 's and use the same certificates for both servers it would make my setup less complex.Skier

Do you mean you have two domains in two different forests or is it just two DCs in the same domain/forest? If your servers are all members of the same domain then there is no need to have more than one CA to service all domain memebers with certificates regardless the version of operating system. /Hasain

Hasain, Basically the 2003 Server and the 2008 Server are setup pretty much the same except the Certificate Authority are different. They both use the same domain SQA.net. This was setup when I had more PC's to use for testing. Now we have moved to the Dell Poweredge T410 PC which I use to setup all of my VM's using Oracle VM VirtualBox Manager with multiple Nic Cards. Now we have moved to the VM Model I need to consolidate my VM's for authenticating users. Therefore like you said there is no need to have more than one CA. What would I need to do in order to setup my CA on my 2008 Server so it can be used for both my 2003 and 2008 Server plus all my Users? I haven't found any documentation on how to go about this. Plus if I remove certificate authority on my 2003 Server then how do I get the Certificates on my 2003 Server that I use when I set up Policies in IAS?Skier

The Windows Server 2008 CA is fully backward compatible with downstream clients and you do not need to configured any specials for that. To automatically manage the IAS server certificate: Make sure the IAS server is registered in active directory http://technet.microsoft.com/en-us/library/cc780214(WS.10).aspx Configure a certificate template and enable autoenrollment for the IAS server certificate http://technet.microsoft.com/en-us/library/cc754198.aspx /Hasain

Hasain, Thanks for the info I feel I am getting close to success. I did this on my 2003 Server Make sure the IAS server is registered in active directory http://technet.microsoft.com/en-us/library/cc780214(WS.10).aspx I did this on my 2008 Server Configure a certificate template and enable autoenrollment for the IAS server certificate http://technet.microsoft.com/en-us/library/cc754198.aspx When I create the template do I need to select Publish certificate in Active Directory under the General Tab? Now what is the next step to getting the 2008 CA to work on my 2003 Server? When you go to IAS>Remote Access Policy> Select Policy>Double-Click> Edit Profile>Authentication>EAP Methods>Select Edit Highlight SmartCard or other certificate and select edit It says Certificate Issued. How do I get it to allow me to select my 2008 Server R2 CA? Currently I am only allowed to select my 2003 CA Then The next question would be getting the Certificate onto my PC when I want to join the 2003 Server Doamin? I am assuming it will know what to use. Thanks for all your help, Scott ps. Basically we are just trying to use a 2003 IAS server and a 2008 NP server with the same certificates for the supplicants.Skier

When I create the template do I need to select Publish certificate in Active Directory under the General Tab? .... When you go to IAS>Remote Access Policy> Select Policy>Double-Click> Edit Profile>Authentication>EAP Methods>Select Edit Highlight SmartCard or other certificate and select edit It says Certificate Issued. How do I get it to allow me to select my 2008 Server R2 CA? Currently I am only allowed to select my 2003 CA Then The next question would be getting the Certificate onto my PC when I want to join the 2003 Server Doamin? I am assuming it will know what to use. Thanks for all your help, Scott ps. Basically we are just trying to use a 2003 IAS server and a 2008 NP server with the same certificates for the supplicants. Skier You do not need to publish the IAS certificate in AD. You should see and select the certificate issued by your 2008 CA in the list and not the 2008 CA certificate it self, the reason you have the 2003 CA in the list is because your IAS is running on the same machine as the CA! If the certificate is not there, you probably need to restart your IAS server because the Register in Active Directory is adding the server account to a new security group. After that Autoenrollment will take care of the new server certificate and you should receive a new certificate from the 2008 to select in the certificate list. All members in the domain are going to trust the enterprise CA automatically, the only requirement to get this done is domain membership in the same domain. /Hasain

Hasian, Thanks for the feedback. So far I am not seeing the 2008 CA in the issued by on my 2003 Server. My domain is SQA.net on both servers. I was wondering if I need to remove the old Certificate Authority on my 2003 Server in order for this to work. I am going to double check my steps but so far no luck.Skier

Autoenrollment is not going to re-enroll the same template if you already have a certificate based on that template. /Hasain

I am sorry I am confused with your last statement. So do I need to remove the certificate authority on my 2003 Server R2 before I do anything?Skier

Hi Hasain, I decommissioned and removed the Certificate Authority from the 2003 Server and I am still not having any luck? Here are my steps maybe I am missing something. 2003 Server Setup: Open Internet Authentication Service. Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Service in Active Directory dialog box appears, click OK. Open Command Prompt. At the command prompt, type netsh ras add registeredserver Domain IASServer, where Domain is the DNS domain name of the domain and IASServer is the name of the IAS server computer. 2008 Server R2 To configure the certificate template and auto-enrollment On the computer where Active Directory Certificate Services is installed, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. In Available snap-ins, double-click Certification Authority. Select the CA that you want to manage, and then click Finish. The Certification Authority dialog box closes, returning to the Add or Remove Snap-ins dialog box. In Available snap-ins, double-click Certificate Templates, and then click OK. In the console tree, click Certificate Templates. All of the certificate templates are displayed in the details pane. In the details pane, click the RAS and IAS Server template. On the Action menu, click Duplicate Template. In the Duplicate Template dialog box, select the template version appropriate for your deployment, and then click OK. The new template properties dialog box opens. On the General tab, in Display Name, type a new name for the certificate template or keep the default name. Click the Security tab. In Group or user names, click RAS and IAS Servers. In Permissions for RAS and IAS servers, under Allow, select the Enroll and Autoenroll permission check boxes, and then click OK. Double-click Certification Authority, double-click the CA name, and then click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens. In Enable Certificate Templates, click the name of the certificate template you just configured, and then click OK. For example, if you did not change the default certificate template name, click Copy of RAS and IAS Servers, and then click OK. On the computer where Active Directory Domain Services (AD DS) is installed, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. In Available snap-ins, double-click Group Policy Management Editor. The Select Group Policy Object wizard opens. Click Browse, and then select the Default Domain Policy. Click OK, click Finish, and then click OK again. Double-click Default Domain Policy. Open Computer Configuration, Policies, Windows Settings, Security Settings, and then select Public Key Policies. In the details pane, double-click Certificate Services Client - Auto-Enrollment. The Certificate Services Client - Auto-Enrollment Properties dialog box opens. In the Certificate Services Client - Auto-Enrollment Properties dialog box, in Configuration Model, select Enabled. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box. Select the Update certificates that use certificate templates check box, and then click OK From there I should be able to go to my 2003 Server Select Internet Authentication Service > Remote Access Policy> My EAP-TLS Policy with Certificates Double click EAP-TLS Policy > Edit Profile > Authentication > EAP Methods > Select Smart Card or certificate > Select Edit and I should see the issued to for the 2008 Server CA That this point I am getting an error that certificate cannot be found. Any ideas? I seem to be missing a step Thanks Scott Skier

The steps are just fine! If you request the certificate manually: Start MMC and add the Certificate snap-in and select the computer account and the local computer In MMC, expand Certificates - Local Computer Right-click Personal and point to All tasks, and then click Request New Certificate On the Certificate Types page, locate the "RAS and IAS Server" template in the Certificate types list, and then click Next until Finish /Hasain

Hasain, For some reason when I do a MMC I am not seeing the certificate template RAS and IAS Server. I am going to investigate. I should also be able to reverse the procedure between my 2003 and 2008 Server? Thanks for all your help, ScottSkier

Hasain, If I do the steps below I do not see the certificate in the list. Is there some troubleshooting steps I can do to see why the certificate is not present. Thanks Scott If you request the certificate manually: Start MMC and add the Certificate snap-in and select the computer account and the local computer In MMC, expand Certificates - Local Computer Right-click Personal and point to All tasks, and then click Request New Certificate On the Certificate Types page, locate the "RAS and IAS Server" template in the Certificate types list, and then click Next until Finish Skier

Can you try the following commands on your server: certutil -adtemplate certutil -catemplates /Hasain

Here is the information from the certutil command. I couldn't get it to work from the 2008 CA to the 2003 Server so I am trying now from the 2003CA to the 2008 Server since they should be backward compatible. 2008 Server C:\Users\Administrator>certutil -adtemplate Administrator: Administrator -- Auto-Enroll: Access is denied. CA: Root Certification Authority -- Auto-Enroll: Access is denied. CAExchange: CA Exchange -- Auto-Enroll: Access is denied. CEPEncryption: CEP Encryption -- Auto-Enroll: Access is denied. ClientAuth: Authenticated Session -- Auto-Enroll: Access is denied. CodeSigning: Code Signing -- Auto-Enroll: Access is denied. CrossCA: Cross Certification Authority -- Auto-Enroll: Access is denied. CTLSigning: Trust List Signing -- Auto-Enroll: Access is denied. DirectoryEmailReplication: Directory Email Replication -- Auto-Enroll: Access is denied. DomainController: Domain Controller -- Auto-Enroll: Access is denied. DomainControllerAuthentication: Domain Controller Authentication -- Auto-Enroll: Access is denied. EFS: Basic EFS -- Auto-Enroll: Access is denied. EFSRecovery: EFS Recovery Agent -- Auto-Enroll: Access is denied. EnrollmentAgent: Enrollment Agent -- Auto-Enroll: Access is denied. EnrollmentAgentOffline: Exchange Enrollment Agent (Offline request) -- Auto-Enroll: Access is denied. ExchangeUser: Exchange User -- Auto-Enroll: Access is denied. ExchangeUserSignature: Exchange Signature Only -- Auto-Enroll: Access is denied. IPSECIntermediateOffline: IPSec (Offline request) -- Auto-Enroll: Access is denied. IPSECIntermediateOnline: IPSec -- Auto-Enroll: Access is denied. KerberosAuthentication: Kerberos Authentication -- Auto-Enroll: Access is denied. KeyRecoveryAgent: Key Recovery Agent -- Auto-Enroll: Access is denied. Machine: Computer -- Auto-Enroll: Access is denied. MachineEnrollmentAgent: Enrollment Agent (Computer) -- Auto-Enroll: Access is denied. OCSPResponseSigning: OCSP Response Signing -- Auto-Enroll: Access is denied. OfflineRouter: Router (Offline request) -- Auto-Enroll: Access is denied. RASAndIASServer: RAS and IAS Server -- Auto-Enroll: Access is denied. SmartcardLogon: Smartcard Logon -- Auto-Enroll: Access is denied. SmartcardUser: Smartcard User -- Auto-Enroll: Access is denied. SQAComputerCertificate: SQA Computer Certificate -- Auto-Enroll SQAIxNetworksCertificate: SQA IxNetworks Certificate -- Auto-Enroll SQAUserCertificate: SQA User Certificate -- Auto-Enroll SubCA: Subordinate Certification Authority -- Auto-Enroll: Access is denied. User: User -- Auto-Enroll: Access is denied. UserSignature: User Signature Only -- Auto-Enroll: Access is denied. WebServer: Web Server -- Auto-Enroll: Access is denied. Workstation: Workstation Authentication -- Auto-Enroll: Access is denied. CertUtil: -ADTemplate command completed successfully. C:\Users\Administrator>certutil -catemplates SQAIxNetworksCertificate: SQA IxNetworks Certificate -- Auto-Enroll SQAComputerCertificate: SQA Computer Certificate -- Auto-Enroll SQAUserCertificate: SQA User Certificate -- Auto-Enroll DirectoryEmailReplication: Directory Email Replication -- Auto-Enroll: Access is denied. DomainControllerAuthentication: Domain Controller Authentication -- Auto-Enroll: Access is denied. EFSRecovery: EFS Recovery Agent -- Auto-Enroll: Access is denied. EFS: Basic EFS -- Auto-Enroll: Access is denied. DomainController: Domain Controller -- Auto-Enroll: Access is denied. WebServer: Web Server -- Auto-Enroll: Access is denied. Machine: Computer -- Auto-Enroll: Access is denied. User: User -- Auto-Enroll: Access is denied. SubCA: Subordinate Certification Authority -- Auto-Enroll: Access is denied. Administrator: Administrator -- Auto-Enroll: Access is denied. CertUtil: -CATemplates command completed successfully. 2003 Server C:\Documents and Settings\Administrator>certutil -catemplates 2003RASandIASServer: 2003 RAS and IAS Server SQAIxNetworksCertificate: SQA IxNetworks Certificate SQAComputerCertificate: SQA Computer Certificate SQAUserCertificate: SQA User Certificate DirectoryEmailReplication: Directory Email Replication DomainControllerAuthentication: Domain Controller Authentication EFSRecovery: EFS Recovery Agent EFS: Basic EFS DomainController: Domain Controller WebServer: Web Server Machine: Computer User: User SubCA: Subordinate Certification Authority Administrator: Administrator CertUtil: -CATemplates command completed successfully. C:\Documents and Settings\Administrator>Skier

According to the results above, the RAS & IAS server is not enabled/published on your 2008 CA! /Hasain

Hi Hasain, Ok so it sounds like this is the step I am missing. So are you referring to the RAS and IAS Server Template on my 2008 Server? I thought I only needed to do this on my 2003 Server and they would automatically enroll on my 2008 Server? The same would apply if I was doing 2008CA to my 2003 Sever. Or do I need to do this step on all my servers? Can you walk me through what I need to do on my 2008 server? Thanks ScottSkier

You previously wrote that the 2003 CA was decommissioned and removed from the 2003 server then the only CA left is the 2008 CA and if it is not having the RAS and IAS template published you will not be able to get any certificates based on that template from this CA. Additionally there is a difference in the AD template list between your 2003 and 2008 servers. The 2003RASandIASServer: 2003 RAS and IAS Server template is missing from the AD template list on 2008 but present on your 2003 CA templates! That leads me into the question if the two servers really are part of the same domain? /Hasain

The servers are on the same domain but they were made independently. I am going to check DNS and make sure it has an entry in there for the other server.Skier

The servers are on the same domain but they were made independently... What do you mean by that? /Hasain

Hasain, Since we have switched from having multiple PC's to have one PC (Dell Poweredge T410) with Oracle VM VirtualBox Manager. Here is where I created all my servers and clients seperately. I had a Windows 2003 Server R2 Server 64 bit created with Certificate Authority and I also created another VM with Windows 2008 Server R2 64 bit with Certificate Authority. I created them both using the SQA.net Domain. Usually in the past when I created them on a PC it would detect that there was another server on the Network making the second server a backup. When I created the 2008 Server it never detected the 2003 server on the network. Therefore they are the same domain but it is like having two seperate Primary servers. ScottSkier

Ok, based on your description you actually have two separate forests with the same domain name in each. This means the servers can never communicate with each others nor function in a domain context as members of the same domain. /Hasain

What would I need to do to make these two servers communicate? Is this as simple as adding a trust to windows 2008 Server R2 and would I also need to do this on my 2003 Server? Or is it just adding DNS to the existing Forward Lookup zone SQA.net on both servers? http://www.misdivision.com/blog/how-to-create-a-trust-in-windows-server-2008-r2 First Step: To specify other DNS servers as authoritative for a zone using the Windows interface 1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. Click the Name Servers tab. 4. Click Add. 5. Specify additional DNS servers by their names and IP addresses, and then click Add to add them to the list. 2^nd Step: Modify Zone Transfer Settings Updated: May 9, 2008 You can use this procedure to control whether a Domain Name System (DNS) zone will be transferred to other servers and which servers can receive the zone transfer. You can complete this procedure using either the DNS Manager snap-in or the dnscmd command-line tool. Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Modifying zone transfer settings To modify zone transfer settings using the Windows interface 1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS. 2. Right-click a DNS zone, and then click Properties. 3. On the Zone Transfers tab, do one of the following: · To disable zone transfers, clear the Allow zone transfers check box. · To allow zone transfers, select the Allow zone transfers check box. 4. If you allowed zone transfers, do one of the following: · To allow zone transfers to any server, click To any server. · To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. · To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers. Additional considerations To improve the security of your DNS infrastructure, allow zone transfers only for either the DNS servers in the name server (NS) resource records for a zone or for specified DNS servers. If you allow any DNS server to perform a zone transfer, you are allowing internal network information to be transferred to any host that can contact your DNS server. Thanks ScottSkier

It is not possible to have a trust between two domains sharing the same namespace! The simplest way is to remove one of the domains and join the other server to the remaining one. As I understand from your description you need to solve the problem with your virtualbox to enable the systems to communicate first. /Hasain

It is not possible to have a trust between two domains sharing the same namespace! The simplest way is to remove one of the domains and join the other server to the remaining one. As I understand from your description you need to solve the problem with your virtualbox to enable the systems to communicate first. /Hasain

I will remove the 2003 Domain and re add it to see if that works.Skier

Hi Hasain, Removing the 2003 Doamin and then rerunning dcpromo works but the only thing I don't like is that. 1. All the users are the same on both servers. 2. Any changes to the user gets replicated on the other server. I would really like to create some different users on each server so that I will know which server is being used. The only thing that would be the same would be the Certificate being used. Thanks ScottSkier

On option is to setup different domains in the same forest and use one single CA in any of the domains to enroll certificates to both domains. Another option is to setup two different forests with a trust and use cross-forest enrollment. /Hasain

Hi Hasain, I am going to talk to some of my co-workers and see what options will work best for our Testing purposes. But first I want to make sure I have my facts straight. 1. My first option is to remove the domain and re adding it. This will make my 2003 Server a backup server and my users will be replicated to both servers and they will use the same CA. 2. My second option is to setup two different forests with a trust and use cross-forest enrollment. Now if I do that I will still need to run dcpromo and rather than using the FQDN 2003ServerR2.SQA.net I would use 2003ServerR2.test.SQA.net and my 2008 Server R2 would still be 2008ServerR2.SQA.net. Also if I do this option I will be able to use the same Certificates on both servers but I will be able to have different users setup on each servers. But since I changed my domain 2003ServerR2.SQA.net to 2003ServerR2.test.SQA.net I will need to have seperate VM's setup for each servers in order to do authentication. Would that be true? If that is the case I may just lean towards creating a backup server as we previously discussed. Thanks for all your help. Skier

Both options gives you the result of having one enterprise CA to issue all certificates. But having two forests (option 2) with a trust and setting up cross-forest enrollment is a far more complex solution than just having both servers in the same domain! A third option is to have two domains in the same forest making it possible to use the same enterprise CA with a less complex setup than using a cross-forest deployment. In any case you need to have two VMs for your two servers but you do not need to have the VMs on separate servers just because they do belong to different domains! You should consider the option that reflects you production deployment to have a realistic test. /Hasain