Win2000 Domain Controllers and Win2003 Certificate Services...

Greetings!

My environment has Win2000 Domain Controllers and and a new Win2003/Exchange
2003 Server, which of course also has IIS. I added Certificate Services as an
Enterprise Root CA to the Win2003 Server and on the same machine tried to
request a certificate from the online CA and the certificate was not issued.

Are they any known issues with Win2003 Certificate Services with only
Win2000 DCs? For example, is it just a matter of granting permissions on a
certain certificate template or something?

Are there any ramifications of removing the Enterprise Root CA from the
Win2003 machine and installing it on one of my Win2000 DCs?

Was this the best forum for this sort of message?

Thanks,
GeorgeS

In news:8F2707DF-CB2F-4A3D-9B17-(E-Mail Removed),
George Squillace <(E-Mail Removed)> stated, which I
commented on below:
> Greetings!
>
> My environment has Win2000 Domain Controllers and and a new
> Win2003/Exchange 2003 Server, which of course also has IIS. I added
> Certificate Services as an Enterprise Root CA to the Win2003 Server
> and on the same machine tried to request a certificate from the
> online CA and the certificate was not issued.
>
> Are they any known issues with Win2003 Certificate Services with only
> Win2000 DCs? For example, is it just a matter of granting permissions
> on a certain certificate template or something?
>
> Are there any ramifications of removing the Enterprise Root CA from
> the Win2003 machine and installing it on one of my Win2000 DCs?
>
> Was this the best forum for this sort of message?
>
> Thanks,
> GeorgeS

How did you attempt to request a cert? Did you use the CA website? What were
the errors? Going through the website request steps, it should have given
you the option to install it.

Win2003 has more options than 2000 CA, such as autoenrollment for domain
members using a GPO. But for autoenrollment, you'll need 2003 Enterprise
edition to create a cert from a template for autoenrollment. Win2003 Server
(standard edition) does not give you this feature.

George, actually the microsoft.public.security.crypto newsgroup is specific
for this. I cross posted this for you. Replies, if any, will come back here
and to that group. I would suggest to go to that group and pick up this
thread there.

X-Posted to microsoft.public.security.crypto
F/ups not set and upto the person replying.

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...