Hi All, I need to learn how the CA works? How the computer requests the certificate? In this process, what is the role of DC, CA server. I also would like to know how the Certificate request works across the domain? How computer finds CA server in the forest? Any useful URL or link to clarify above questions?Thanks & Regards, Kedar

CBTNuggets are always helpful for getting the basics on new topics.Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+

A computer that is a member of a domain usually requests SRV records from a DNS server to determine what computer is the domain controller. After the computer knows the DC, it then begins communication with the DC to determine what CA services are provided. Active Directory stores it's information about the domain's PKI in its Configuration directory partition. Active Directory also provides authentication services to the client that is requesting a certificate. I have listed a few links below that I think you may find useful: PKI Technologies http://technet.microsoft.com/en-us/library/cc779826%28WS.10%29.aspx CA Certificates Technical Reference http://technet.microsoft.com/en-us/library/cc736984%28WS.10%29.aspx Certificates Technical Reference http://technet.microsoft.com/en-us/library/cc785237%28WS.10%29.aspx Certificate Services Technical Reference http://technet.microsoft.com/en-us/library/cc776207%28WS.10%29.aspx

Hi Kedar, Here is a broad list of documentation for Windows PKI: Windows PKI documentation reference and library http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx Hope this helps.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Matrix, Thanks for the inputs. Just a quick clarification required. If I have Ad structure as CORP.COM, ABC.CORP.COM and PQR.CORP.COM If I have CA installed in ABC.CORP.COM domain then clients from PQR.CORP.COM domain can request the certificate to CA? Will those client are able to read CA information from AD (as they are not from the domain where CA is installed)?Thanks & Regards, Kedar

Hi Bruce-Liu, Thanks for help.Thanks & Regards, Kedar

The active directory configuration directory partition is replicated forest-wide, which means the information about the PKI should be replicated to all child domains. The DC that is the global catalog stores the configuration directory partition. You may need to configure special permissions on the certificate templates to allow users in another child domain to request certificates from the domain in which the CA is configured. I have listed a couple of links below that may be used as troubleshooting information if you have issues: Certification Authority configuration to publish certificates in Active Directory of trusted domain http://support.microsoft.com/kb/281271 Enterprise CA May Not Publish Certificates from Child Domain or Trusted Domain http://support.microsoft.com/kb/219059