Sorry, one other thing. If you created a standalone root ca, what did you expect to have happen in regards to publishing in Active Directory?
Have you seen this as part of your research? http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de ployguide/en-us/dssch_pki_zmrm.asp -----Original Message----- From: Barber, Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 8:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Possibly OT: Certificate Hierarchies and AD Sorry if this is slightly off topic, but documentation seems sparse out there. A little background. I have an Active Directory with both Windows 2000 and Windows 2003 DCs. We are attempting to build a Certificate Hierarchy that will provide certificates to Active Directory users (for Exchange Digital Signatures, S/MIME, etc) and also for outside users for web servers. Questions: We have read from Microsoft literature that you should create a Standalone Root CA, so that you can take it offline (ie not connected to the network) and store it safely. If this is the case, will a subordinate Enterprise CA automatically publish to the Active Directory? We have set up our current "test" this way, and don't see any changes to Active Directory. Also, the subordinate Enterprise CA seems to have Policies that are the basic (standalone) policies, and the policies do not have the "publish to Active Directory" options. As an alternative, could we establish a Enterprise Root CA, allow it to publish to Active Directory, then turn it off? Would this be considered an "offline Enterprise Root CA"? Is this even possible? Why is it that everyone out there who supposedly has information on CAs always installs an Enterprise Root CA? If you need to keep it online, isn't this a security risk? If we install an Enterprise Root CA, can we put a subordinate Enterprise CA under it, then allow both internal and external users to obtain certification from that server? Or would I have to install a subordinate stand-alone server as well? Any clarification would be appreciated. Thanks! -Tom List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
