Windows 2003 Std Server and PKI
Hi Everyone,
i have a problem with a customer who also wants to upgrade to native mode. Not yet but in the future. The customer has only a Win 2003 Std Server and a PKI on it.
So thats my problem. I need WIn2003 Enp to create the certificates for native mode.
So my question is, is there a workaround to do this on a WIN2003 Std ?
Must the RootCA be a domain controller ? or can i do this also on a member server in a domain ?
thanks a lot
Answers
Carol Bailey [MSFT] wrote: Yes, it’s a very common misconception that native mode requires the exact setup in the test network requirements for the step-by-step example deployment of the PKI certificates. Using a Microsoft CA with Enterprise Edition certainly makes certificate deployment simpler. However, the only native mode requirement is that the certificates are deployed. See:
And text from the step-by-step:
Because there is no single method of deployment for the required certificates, you will need to consult your particular PKI deployment documentation for the necessary procedures and best practices to deploy the required certificates for a production environment.
If your customer already has a PKI, give them the list of certificate requirements and let them work out the best way to deploy them - or enlist PKI expertise if needed.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights.
One thing I wanted to note that's very important is that only Windows Server 2003 Enterprise edition supports all of the features of enterprise CAs (such as the ability to deploy and use V2 templates). If you use Windows Server 2003 Standard edition and install an enterprise CA, your ability to deploy the necessary templates required by ConfigMgr will be very limited since it will only support V1 templates.
All Replies
1. You need a Enterprise CA for auto enrollment.
2. It doenst need to be on a domain controller, Its important that you do your PKI planning well. Conidering and Offline root CA etc.
/S
Yes, it’s a very common misconception that native mode requires the exact setup in the test network requirements for the step-by-step example deployment of the PKI certificates. Using a Microsoft CA with Enterprise Edition certainly makes certificate deployment simpler. However, the only native mode requirement is that the certificates are deployed. See:
And text from the step-by-step:
Because there is no single method of deployment for the required certificates, you will need to consult your particular PKI deployment documentation for the necessary procedures and best practices to deploy the required certificates for a production environment.
If your customer already has a PKI, give them the list of certificate requirements and let them work out the best way to deploy them - or enlist PKI expertise if needed.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights.
Carol is right in this but if you are using a Microsoft Infrastructure it is very hard to maintain it without a Microsoft Ent CA.
I have no experience using third party vendors but of course is possible.
http://technet.microsoft.com/en-us/library/bb680312.aspx
/S
Carol Bailey [MSFT] wrote: Yes, it’s a very common misconception that native mode requires the exact setup in the test network requirements for the step-by-step example deployment of the PKI certificates. Using a Microsoft CA with Enterprise Edition certainly makes certificate deployment simpler. However, the only native mode requirement is that the certificates are deployed. See:
And text from the step-by-step:
Because there is no single method of deployment for the required certificates, you will need to consult your particular PKI deployment documentation for the necessary procedures and best practices to deploy the required certificates for a production environment.
If your customer already has a PKI, give them the list of certificate requirements and let them work out the best way to deploy them - or enlist PKI expertise if needed.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights.
One thing I wanted to note that's very important is that only Windows Server 2003 Enterprise edition supports all of the features of enterprise CAs (such as the ability to deploy and use V2 templates). If you use Windows Server 2003 Standard edition and install an enterprise CA, your ability to deploy the necessary templates required by ConfigMgr will be very limited since it will only support V1 templates.ok thanks a lot for the informations,
now i did the following. Setup a second DC and replicated with the std. Server.
Then e migrated the PKI to the enterpise second DC server.....
works well
thanks
- Thanks all. it's respond to my questions.
Steve
Steve
