none
Schema update and domain prep required to support win2008 PKI in a win 2003 Domain?

    Question

  • Hi,

    We want to deploy win2008 certificate services in a win2003 forest. This is supported as stated by Brian Komar in his book "Windows Server 2008 PKI and Certificate Security"

    Win 2003 forests must have their schemas upgraded to the Win 2008 schema to support  new features in  Win 2008 PKI. Features include:

    Support for version 3 certificate templates, Addition of an online responder, Network Device Enrollment Service & Native Support for Qualified Certificates

     

    Performing the Schema Update

    At a command prompt, type adprep /forestprep, and then press Enter.

    After modification of the schema is replicated to all domain controllers in the forest, you can prepare each domain to benefit from the Windows Server 2008 schema extensions. To prepare each domain in the forest, use the following procedure:

    adprep /domainprep /gpprep

    Note 

    The adprep /domainprep /adprep /gpprep command both prepares the domain-wide information and adds cross-domain and resultant set of policy planning. The command modifies the file system and AD DS permissions on existing Group Policy Objects (GPOs).

    Note 

    It is not necessary to run adprep /domainprep to install a Windows Server 2008 enterprise CA in the forest.

     

    How should I interpret this?

     

    Is it enough to run adprep /forestprep if I want to use a win 2008 enterprise CA?  Can I skip the adprep /domainprep /adprep /gpprep if we don’t use any of the new features?

    Best regards,
    Daniel


    danielu@avanade
    Thursday, November 27, 2008 9:21 AM

Answers

  • Hi Daniel_U,

    Yes, it's enough to run adprep/forestprep on the schema master in order to use a windows 2008 ca, because in this way the schema is updated to the Windows Server 2008 schema that will contain the version 3 certificate template object and the other features. If you only want to install a ca on a windows 2008 member server, you can skip adprep/domainprep and adprep/gprep. If you also want to add a domain controller with windows 2008 on a domain, you must also run adprep/domainprep on the infrastructure master of that domain.
    Have a nice day! The Masterplan - MCSE,MCITP-EA http://winmasterplan.blogspot.com
    Thursday, November 27, 2008 12:45 PM
  • Hi all,
    Just to clarify the book.
    1) You do *not* need to update the AD schema to Windows Server 2008 to run a Windows Server 2008 enterprise CA. You must have a minimum of the Windows Server 2003 schema though.
    2) There is one change only once you apply the 2008 schema. This is the addition of ACEs for the ReadOnlyDomain COntrollers group for the four DC-related certificate templates: Domain Controller, Domain Controller Authentication, Directory Email Replication, and Kerberos Authentication.

    Brian
    Thursday, November 27, 2008 8:28 PM

All replies

  • Hi Daniel_U,

    Yes, it's enough to run adprep/forestprep on the schema master in order to use a windows 2008 ca, because in this way the schema is updated to the Windows Server 2008 schema that will contain the version 3 certificate template object and the other features. If you only want to install a ca on a windows 2008 member server, you can skip adprep/domainprep and adprep/gprep. If you also want to add a domain controller with windows 2008 on a domain, you must also run adprep/domainprep on the infrastructure master of that domain.
    Have a nice day! The Masterplan - MCSE,MCITP-EA http://winmasterplan.blogspot.com
    Thursday, November 27, 2008 12:45 PM
  • Hi all,
    Just to clarify the book.
    1) You do *not* need to update the AD schema to Windows Server 2008 to run a Windows Server 2008 enterprise CA. You must have a minimum of the Windows Server 2003 schema though.
    2) There is one change only once you apply the 2008 schema. This is the addition of ACEs for the ReadOnlyDomain COntrollers group for the four DC-related certificate templates: Domain Controller, Domain Controller Authentication, Directory Email Replication, and Kerberos Authentication.

    Brian
    Thursday, November 27, 2008 8:28 PM
  • Hi, 


    A Windows 2000 Server domain must be upgraded to the Windows Server 2003 schema to support certain features of the enterprise CA, including version 2 and 3 certificate templates, delta certificate revocation lists (CRLs), and key archival and recovery.


    +

    Upgrade Active Directory to the Windows Server 2003 schema.

    Important

    After the Active Directory schema has been upgraded to Windows Server 2003, the schema will also be able to support any Windows Server 2008 AD CS features, including version 3 certificate templates.

     

    http://www.microsoft.com/downloads/details.aspx?FamilyID=3c670732-c971-4c65-be9c-c0ebc3749e24&displaylang=en

    Br, Daniel


    danielu@avanade
    Wednesday, December 03, 2008 8:48 AM
  • Daniel,
    The information you have posted is incorrect.
    Please see my earlier response in this thread
    Brian
    • Proposed as answer by Nagarabetta Monday, May 10, 2010 4:25 AM
    Wednesday, December 03, 2008 6:36 PM