Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
AD Certificate services / multiple AD sites

Answered AD Certificate services / multiple AD sites

  • Thursday, April 26, 2012 10:30 PM
     
     
    Sign In to Vote
    0

    Hello,

    I have a single domain with 2 sites, site A and site B.  Each site has an Enterprise Subordinate issuing CA, CA A and CA B.

    Computer certificates are enrolled automatically via a GPO.

    Does anyone know a way to make sure that computers in site A only get certificates from CA A and vise versa ?

    Thanks

     

All Replies

  • Thursday, April 26, 2012 10:19 AM
     
     
    Sign In to Vote
    0

    Hello,

    I have a single domain with 2 sites, site A and site B.  Each site has an Enterprise Subordinate issuing CA, CA A and CA B.

    Computer certificates are enrolled automatically via a GPO.

    Does anyone know a way to make sure that computers in site A only get certificates from CA A and vise versa ?

    Thanks

     
  • Thursday, April 26, 2012 10:23 AM
     
     
    Sign In to Vote
    0

    I would post this question in A dedicated security forum which deal with CA related issues.

    http://social.technet.microsoft.com/Forums/en/winserversecurity/threads

    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

     
  • Thursday, April 26, 2012 10:32 PM
     
     
    Sign In to Vote
    0
    Ok thanks - is it security related though - surely just a general AD CS question ?
     
  • Thursday, April 26, 2012 10:38 PM
     
     
    Sign In to Vote
    0

    Hello,

    as they are applied with GPOs and this belongs to the authentication process, make sure AD sites and services is configured with correct subnets linked to the site where the authenticating DC is located.

    But this may not complete assure this as if the site DC is not available the client will use via DNS the other DC. But as both DCs are always in sync why don't you work with the correct AD sites and services setup only? This normally should be enough except one DC fails.

    For DCLocator process see:

    http://jorgequestforknowledge.wordpress.com/2007/06/30/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-1/

    http://jorgequestforknowledge.wordpress.com/2007/07/01/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-2/

    http://jorgequestforknowledge.wordpress.com/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-3/

    http://www.frickelsoft.net/blog/?p=278

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


     
  • Friday, April 27, 2012 5:46 AM
     
     Answered
    Sign In to Vote
    0

    1) Create a global or universal group for each site - SiteAComputers and SiteBComputers

    2) Populate the groups with each site's computer objects

    3) Create two certificate templates - one for each site that enable Client Authentication.

    4) Publish the SiteACertificate template at the enterprise CA in Site A

    5) Publish the SiteBCertificate template at the enterprise CA in Site B

    6) Assign Read, Enroll and Autoenroll permissions to the SiteAComputers group for the  SiteACertTemplate and publish the certificate template at the SiteA enterprise CA

    7) Assign Read, Enroll and Autoenroll permissions to the SiteBComputers group for the  SiteBCertTemplate and publish the certificate template at the SiteB enterprise CA

    certificate are deployed the way you want.

    By default, clients will request certificates from the first CA that responds to their request, so without creating separate templates, there is no way to guarantee what you want.

    HTH,

    Brian

     
  • Friday, April 27, 2012 5:48 AM
     
     Answered
    Sign In to Vote
    0

    the only way is to create 2 certificate templates (say, ComputersA and ComputersB) and 2 global security groups. Assign each group permissions on respective template. And add appropriate template to a corresponding CA (ComputersA template should be added to a CA which resides in site A and only computers in site A have Read and Enroll permissions on the template).

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

     
  • Friday, April 27, 2012 4:37 PM
     
     
    Sign In to Vote
    0

    Vadims and I have proposed the same solution (2 minutes apart/a continent apart) <G>

    Brian