Hello, I saw that the AD schema must be at level "30" to use ADCS...And it seems that that some services in ADCS requires an AD 2008 schema for full use (v3 templates, OSCP, qualified certificates..and NDES) So my question is about NDES: - Will I loose some NDES functionalities if i stay in AD schema "30" ? Regards,

No, NDES uses V1 certificate templates <G> Brian

thank you Brian. Just a little question: You said in your excellent W2K8 PKI and Certificate Security Book that "Microsoft Windows 2000 or Windows Server 2003 forests must have their schemas upgraded to the Windows Server 2008 schema to support the new features in a Windows Server 2008 PKI. These features include:[...] NDES" Why ? i'm just a little confused...

That was a mistake in the book that was missed in the review by editors, product group, and others. Here is what you need the schema update for: - Changes to a kerberos auth cert templates to include Read Only DCs (only part of 2008) - Implementing Web-based enrollment (HTTP proxy and template information) in Windows Server 2008 R2 Other than that, you can deploy with the 2003 Schema Brian

Thanks Brian for your clarification