I'm trying to setup certificate autoenrollment to deploy certifcates to all my computers in my domain for NAP and RADUIS. I have a single domain network with the PDC running server 2003 r2 sp2. I have the certificate authority installed on this DC. I've been using this as a guide: http://technet.microsoft.com/en-us/library/cc773385(WS.10).aspx It's been serving me pretty well, however I've hit a couple of snags. Firstly, in the propreties of the certificate template I created (duplicated) the options for the "Do the following when the subjet is enrolled and when the private key associated with this certificate is used:" are grayed out. I can't understand why. Second, when I configure the Automatic Certification Request Settings in Group Policy, I go add a new request but the template that I created doesn't show up on the list. Should it? I selected the Computer template anyway but when I open the properties of it, My CA doesn't show up on the list. Again I don't know why. So any help would be great. On another note, should I even have the CA on my domain controller. Would it be better somewhere else? Also my NAP server is running 2008 R2 Enterprise. Would I be better served to have my CA running on it?

First, the reason "Do the following when the subject is enrolled and when the private key associated with this certificate is used:" are grayed out is that you are editing a computer type certificate template and these settings are only enbaled for user type certificate templates. Second, Certificate autoenrollment and automatic certificate request are two different things! Automatic Certification Request is restricted to v1 certificate templates associated with computers and does not work for users. Automatic Certification Request lacks the customization support because of the nature of v1 templates. Certificate Autoenrollment is based on the combination of Group Policy settings and version 2 or version 3 certificate templates, autoenrollment works both for user and computer type certificates. Autoenrollment works only if your certification authority support v2 and or v3 templates and the requirements are that your CA is running on Windows 2003 Ent, Windows 2008 Ent or Windows 2008 R2 Std. To enable autoenrollment: 1. Create a v2 or v3 template and enable it for Enroll and AutoEnroll: user certificate template example http://technet.microsoft.com/en-us/library/cc753778(WS.10).aspx, computer certificate template example http://technet.microsoft.com/en-us/library/cc732966(WS.10).aspx 2. Add the newly created template to your Ent CA 3. Enable autoenrollment for users and computers using Group Policy http://technet.microsoft.com/en-us/library/cc771025(WS.10).aspx Regarding having the CA on you DC, it is generally recommended to keep the DC as clean as possible and specially when it comes to the CA service because of the restrictions that apply whenever you install the CA service on a computer. Having a CA on the same server together with NAP/NPS should not give you any trouble as long as you are aware of the computer rename restrictions applied when ADCS is installed. If your DC is not an enterprise edition then you have a good reason to put your CA on the NAP server to be able to use v2 templates. /Hasain

Thank you for the reply. That makes more sense now. However, sorry for being dumb but do you have a choice of v2 or v3 or even v1? How can I tell what I'm using? I am new at this. Thanks

On Thu, 7 Jul 2011 17:18:47 +0000, mori_m wrote: However, sorry for being dumb but do you have a choice of v2 or v3 or even v1? How can I tell what I'm using? I am new at this. Sort the Certificate Templates console by Minimum supported CA: 2000 = V1 2003 = V2 2008 = V3 Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca On line: A statement shouted at tennis judges in response to serves being called out.

To tell the version of a template, in the certificate templates management console, sort the list using the "Minimum Supported CAs" and you have V1 if the column reads Windows 2000 V2 if it reads Windows 2003 Ent v3 if it reads Windows 2008 Ent Before Windows 2008 duplicating a template always give a v2 template and on Windows 2008 and above, when duplicating a template you have the choice to select if the new template is going to be v2 or v3 /Hasain