Enterprise CA options greyed out.

Discussion in 'Security Software' started by Gunna, Sep 2, 2008.

  1. Gunna

    Gunna Guest

    I have an issue in Production im trying to solve so I decided to replicate
    the setup using Virtual PC. I have my DC up and running, then I setup a
    member Server running 2003 Server Standard with SP2, this is going to be my
    replica standalone root CA.

    The strange thing I get is when I go to setup Certificate services the
    options for Enterprise CA and Enterpriose subordinate are available but when
    I set this up in production they where greyed out. I assumed they where not
    available becuase I was running Server standard but here in my lab I
    isntalled Standard and the Enterprise options are available. As if PKI wasnt
    confusing enough.
     
    Gunna, Sep 2, 2008
    #1
    1. Advertisements

  2. The account you're logged in with needs to be an Enterprise Admin account.
     
    Paul Adare - MVP, Sep 2, 2008
    #2
    1. Advertisements

  3. Gunna

    Gunna Guest

    Thanks Paul but im afraid i am just more confused. Can you answer a question
    for me becuase I read conflicting things. You can or cannot run Enterprise
    CA or Enterprise Sub on Standard edition? What the differnece between
    running Enterprise on a standard servers versus Enteprise edition server?


    And further to my original post. I am logged onto the member server as a
    member of the Domain Admin group only but I can see the option to select
    Enterprise Root or Enterprise Sub. Could I be seeing it becuase the Domain
    Admins group is a member of the Administrators group in Active Directory?
     
    Gunna, Sep 2, 2008
    #3
  4. Gunna,
    In your test environment, the account is a member of the Enterprise Admins
    group (either directly or through a group nesting).
    - You can run an enterprise CA on the Standard, Enteprise, or Data Center
    edition SKUs
    - To get full functionality, you need to run on Enterprise or Data Center
    SKUs
    Full Functionality includes: issue certs on V2 cert templates, Key
    archival,
    Brian
     
    Brian Komar \(MVP\), Sep 2, 2008
    #4
  5. Gunna

    Gunna Guest

    Brian,

    Found some conflicting things. Firstly as you have already said you need to
    be an Enterprise admin to install an Enterprise Root CA and if you refer to
    this article http://technet.microsoft.com/en-us/library/cc776709.aspx is says
    the same.

    However,

    I just built a new environment. Standard Server 2003 SP2 domain controller
    and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd machine
    as a user with local admin to the second server only (only domain membership
    was Domain Users) and tried to install PKI and sure enough I only got the
    Standalone options. I stopped the install and then logged on using an
    account i created and placed only in the Domain Users and Domain Admins
    groups. Then started to install Certificate services and I got both the
    Enterprise and Standalone options. I then installed it completely as
    Enterprise Root CA as a Domain Admin only with no visible errors or issues.
    So what is the Enterprise Admin requriment for?
     
    Gunna, Sep 4, 2008
    #5
  6. Gunna

    Gunna Guest

    Further to my other post I just made. I also found that if you install a
    Standalone Root CA logged in as a domain Admin, and not anDomain + Enterprise
    admin, the CRL publihses to AD ok even though it isnt a Enterprise CA. I
    thought that Standalones had to be manually published to AD or is that if
    they are not domani members?
     
    Gunna, Sep 4, 2008
    #6
  7. Sigh...
    The account you used was in the Enterprise Admins group. End of story.
    How many domains in your forest? My guess is one.
    Brian
     
    Brian Komar \(MVP\), Sep 4, 2008
    #7
  8. The Domain Admins group in a single domain forest, or in the root domain of
    a multi-domain forest have more powers than does the Domain Admins group in
    child domains. You're still better off getting in the habit of using
    Enterprise Admins as that group will always be able to install and
    Enterprise CA, regardless of the domain/forest structure.
     
    Paul Adare - MVP, Sep 4, 2008
    #8
  9. Gunna

    Gunna Guest

    ..Brian,

    I'm not doubting you I just dont see where. But i think i know how so
    please confirm. I built a new AD, created a new user account and placed it
    into Domain ADmins. Confirmed that Domain Admins or this user is not a
    Member of Enterprise Admins. However, the Domain Admins and the Enterprise
    Admins are both a member of the Administrators Group. I assuem this is where
    the access is coming from, right? Say yes and i'll accep it :)
     
    Gunna, Sep 5, 2008
    #9
  10. Gunna

    Gunna Guest

    Brian,

    Looks like i answered my own question. I created a user, added it to Domain
    Admins, took Domain Admins out of the Administrators group. Logged onto the
    server to install Cert services but still got Enterprise and Standalone. I
    cannot see how or where im getting the Enterprise Admin access you say i am
    getting. Im happy to accept thats what happening but I have to see how\where
    im getting this Enterprise rights.
     
    Gunna, Sep 5, 2008
    #10
  11. PLease see Paul's response in this thread. (which is why I asked you for
    your domain structure).
    Since you are logged in as the member of the forest root domain's domain
    admins group, you have the necessary permissions to write information to the
    Configuration Naming Context (hence you are offered the Enteprise CA
    options).
    If you had a child domain, a member of the child domain's Domain Admins (or
    any other domain in the forest's Domain Admins group), then you would not be
    offered the option.
    Again, please look at Paul's response.
    Brian
     
    Brian Komar \(MVP\), Sep 5, 2008
    #11
  12. Gunna

    Gunna Guest

    Thanks Paul,

    Nice undocumented feature that. Might explain a few strange issues i noticed
    in AD. I'll just accept that since it works in my environment :)
     
    Gunna, Sep 9, 2008
    #12
  13. Gunna

    Alun Jones Guest

    Not undocumented -
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgbd_ads_xsfl.mspx,
    for instance, lists that the domain admins of the forest root domain are
    able to make accounts members of the Enterprise Admins and Schema Admins
    groups.

    This is a natural consequence of having a forest root domain, whether it was
    documented or not, so should come as no surprise - but it is documented.

    Alun.
    ~~~~
     
    Alun Jones, Sep 9, 2008
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.