Duh, had a moment. The requirement is not that they are on a DC, it is that they are on a domain-joined machine. Member servers are ok.
I'm no cert guy. :) Thanks for keeping me in line. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, May 20, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAPS to DCs Hi Eric According to the Step-by-step guide to setting up a Certificate Authority (http://www.microsoft.com/windows2000/techinfo/planning/security/casetup step s.asp) the enterprise CA can be either a member server or a DC. "The enterprise CA requires the following: Windows 2000 DNS Service installed (required by Active Directory). Windows 2000 Active Directory installed. Enterprise policy places information into the Active Directory. The enterprise CA can be either a member server or a domain controller. Enterprise administrator privileges on the DNS, Active Directory, and CA servers. This is especially important because setup modifies information in numerous places, some of which require enterprise administrator privileges." Tony -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Donnerstag, 20. Mai 2004 18:30 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAPS to DCs If memory serves me correctly, that probably stems from the fact that most people want to do auto enrollment, auto enrollment need be done from an enterprise CA rather than a standalone one, and enterprise ca's (root or subordinate) need be on DCs. That said, you don't need to do that for ldaps.....you could have a standalone cert or even a 3rd party cert. So long as the cert in question is in the appropriate store (machine store on the dc) and is trusted by the client (IE appropriate trusted root store config) and other things are set up as required (CRL, etc.) you should be all set. Capimon is a great tool to help troubleshoot issues with this if you have a config problem. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, May 20, 2004 11:04 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAPS to DCs Not sure about putting the CA on a DC but I can't think why it would be a requirement. You would need a cert for ldaps. This is probably where the recommendation came from to use an Enterprise CA http://support.microsoft.com/default.aspx?scid=kb;EN-US;247078 However, in light of the question I think this answers your question: http://www.microsoft.com/technet/security/guidance/secmod154.mspx http://support.microsoft.com/default.aspx?scid=kb;en-us;321051 As long as you're not using SMTP for transport apparently. http://support.microsoft.com/default.aspx?scid=kb;en-us;222962 Overall, I think the *story* needs to be considered and these articles re-written (hint hint to MS). Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, May 20, 2004 10:55 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAPS to DCs I think this thread has been on here before, but I just wanted to verify it once more. In order to use LDAPS on DC's Microsoft Documentation says a CA needs to be installed on the DC. Does anyone have any information on other methods to do LDAPS without the CA requirement? Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
