Hi, A few days ago I installed a stand-alone CA on a Windows Server 2008 R2 server. This is a memberserver in my domain. Today I see that all machines in the domain have this servers certificate in their "Trusted Root Certificate Authorities" store. How is this done? I can't see anything being pushed through GPO. I thought a stand-alone CA would not push to the domain. Regards Olof

If Standalone CA can contact domain controllers it publish it's own certificate to appropriate AD containers: Standalone Root: Certification Authorities, AIA Standalone Subordinate: AIA these containers are located in CN=Public Key Services, CN=Services, CN=Confoguration, DC={forest roo domain} Certificates from these containers are automatically propagated to clients with group policy refresh (or autoenrollment trigger). However I would not advice to install Root CA in domain. It is recommended to setup Root CA in a workgroup without any network connectivity.http://en-us.sysadmins.lv

Hello Vadims, Ok that explains a few things. I will only use this CA to manage certificates for 10-20 servers using Operations Manager. Is there anyway to stop this enrollment? Regards Olof

Standalone are best for offline root and policy CAs, but not for issuing CAs. Enterprise CAs are best for issuing CAs, because it is possible to use certificate templates (Standalone will not use them even in domain environment), autoenrollment, key archival and more. If you plan to issue only few certificates, you should setup Enterprise Root CA. Standalone CA don't provide any benefits for enterprise enrollment. To remove this CA certificate from clients, run PKIView.msc. Right-click root node and select Manage AD Containers. Go through all tabs and remove objects associated with this CA.http://en-us.sysadmins.lv

Hi, An Enterprise CA will also push its certificate to AD machines right? My goal is to install a CA that will impact as little as possible. This is mainly because I don't want to involve the AD team for this. My purpose is to issue/maintain a few certificates so to push information to all machines in AD seems like a lot of unneccessary things to do. /Olof

> An Enterprise CA will also push its certificate to AD machines right? yes.http://en-us.sysadmins.lv