PKI certificates to child domains
Hi,
I installed new CA for a child domain and configured the templates/autoenrollment GPO. Now, the certificates are issued from a parent domain's CA and not from child domain's newly installed CA. Can you answer the following questions to understand this
issue?. Thanks in advance for your time to read and answer my questions.
1) How can I issue certificates from the child domain's new CA? It looks like there is two-way trust is in place from parent to child domain.
2) The certificates are issued from parent domain's CA so is it due to two-way trust relationship?
3) What will happen if that two-way trust relationship is changed to one-way trust(child domain to parent and not from parent to child)
April 23rd, 2012 3:31pm
Just for the AD part:
You can not change the trust relationship between a parent domain and a child one since it should be bi-directional and transitive.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 3:57pm
Hi,
Certificate templates are assigned per CA. You need to verify that the certificate template used for auto enrolment are configured on the CA in the child domain with appropriate permissions for auto enrolment (read + enroll + auto enroll for users in
the child domain.
http://technet.microsoft.com/en-us/library/cc770794(WS.10).aspx
Remove the auto enroll permissions from the certificate template (perhaps the same template is used in both domains?) used on the CA in parent domain, or if you dont need the template at all - unassign it from the parent domain CA.
Best regards, Danielwww.twitter.com/danielullmark
April 24th, 2012 8:40am
Thanks for your reply. Parent CA is configured(authenticated users:read, enroll and auto enroll) for User and Workstations templates and we need parent CA to issue certificates. I configured the same permissions in child CA but the certificates are issued
from parent CA. I would like to issue the certificates for all authenticated users and workstations from child CA. How to configure? I am also seeing the certificates issued from parent CA are not stored in child domain's user properties.
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2012 11:05am