none
Implement LDAPS for Windows 2003 Active Directory

    Întrebare

  • I know this question has been asked several times but i still have a few unanswered questions.

    =================================================================================

    Problem - I have a requirement to implement an SSL VPN solution with Authentication bouncing against AD however my AD needs to accept LDAPS calls on 636 so that the VPN can facilitate Password changes when they are expired.  I do not currently have a CA in my environment and my AD cannot accept LDAPS requests

    =================================================================================

    Enviroment - Windows 2003 Native Forest with a root domain Domain.net and three child domains DVP.Domain.net (Forr Development) QAT.Domain.net (For Quality and Assurance) and PROD.Domain.net (For Production and the location of the domain that needs to be able to accept Secure LDAP requests)

    Each domain in the forest has two domain controllers and everything is 2003

    I have been through the following articles but have had a hard time gleaning when I want from them.

    Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure

    Building an Enterprise Root Certification Authority in Small and Medium Businesses

    Installing and Configuring Windows Server 2003 Enterprise Certification Authority

    LDAP over SSL (LDAPS) Certificate - TechNet Articles - United States (English) - TechNet Wiki

    PKI Design Guidance - TechNet Articles - United States (English) - TechNet Wiki

    I am usually not so gun shy on projects I am working on but i am trying to make this solution as simple as possible because i only need it for this one service.  another thing that concerns me is I plan to upgrade my active directory environment by the end of this year and don't want this to create more work for me when i need to cross that bridge.   

    =======================================================================================

    Questions - 

    1. Should I just create one Root CA in the Child domain Prod.Domain.net where I need it or should i Install a Root CA in the Forest Root domain.net and then a subordinate CA in the Child domain Prod.Domain.net where I need it.

    2. I will be loading the CA on a member server in the domain I choose, does this server need to be a particular flavor to support generating the proper certificate that can be used by AD i see there is different functionality available between running CA on windows 2003 Std vs Windows 2003 Ent

    3. Can I Load multiple Root CA's in the same forest for each separate domain?

    4. I plan to upgrade my active directory environment by the end of this year and don't want this to create more work for me when I need to cross that bridge. Are there any considerations for things I should do or not do with this CA installation with respect to this future upgrade?  

    5. Any considerations or Got-ya's from any else who has done this in the past. Like after I install it none of my computers can talk to the domain. :) 

    I thank you all in advance for your comments and suggestions.

    22 iunie 2012 18:50

Răspunsuri

Toate mesajele