Brian
Thu Sep 04 22:17:17 CDT 2008
PLease see Paul's response in this thread. (which is why I asked you for
your domain structure).
Since you are logged in as the member of the forest root domain's domain
admins group, you have the necessary permissions to write information to the
Configuration Naming Context (hence you are offered the Enteprise CA
options).
If you had a child domain, a member of the child domain's Domain Admins (or
any other domain in the forest's Domain Admins group), then you would not be
offered the option.
Again, please look at Paul's response.
Brian
"Gunna" <Gunna@discussions.microsoft.com> wrote in message
news:D59D95DD-0E8F-49AD-9BA5-CB873B224345@microsoft.com...
> Brian,
>
> Looks like i answered my own question. I created a user, added it to
> Domain
> Admins, took Domain Admins out of the Administrators group. Logged onto
> the
> server to install Cert services but still got Enterprise and Standalone.
> I
> cannot see how or where im getting the Enterprise Admin access you say i
> am
> getting. Im happy to accept thats what happening but I have to see
> how\where
> im getting this Enterprise rights.
>
> "Brian Komar (MVP)" wrote:
>
>> Sigh...
>> The account you used was in the Enterprise Admins group. End of story.
>> How many domains in your forest? My guess is one.
>> Brian
>>
>> "Gunna" <Gunna@discussions.microsoft.com> wrote in message
>> news:4FC918AB-8D77-4AB7-B879-301CCC6355B7@microsoft.com...
>> > Brian,
>> >
>> > Found some conflicting things. Firstly as you have already said you
>> > need
>> > to
>> > be an Enterprise admin to install an Enterprise Root CA and if you
>> > refer
>> > to
>> > this article
http://technet.microsoft.com/en-us/library/cc776709.aspx
>> > is
>> > says
>> > the same.
>> >
>> > However,
>> >
>> > I just built a new environment. Standard Server 2003 SP2 domain
>> > controller
>> > and a Standard Server 2003 SP2 for my Root CA. I logged onto the 2nd
>> > machine
>> > as a user with local admin to the second server only (only domain
>> > membership
>> > was Domain Users) and tried to install PKI and sure enough I only got
>> > the
>> > Standalone options. I stopped the install and then logged on using an
>> > account i created and placed only in the Domain Users and Domain Admins
>> > groups. Then started to install Certificate services and I got both
>> > the
>> > Enterprise and Standalone options. I then installed it completely as
>> > Enterprise Root CA as a Domain Admin only with no visible errors or
>> > issues.
>> > So what is the Enterprise Admin requriment for?
>> >
>> > "Brian Komar (MVP)" wrote:
>> >
>> >> Gunna,
>> >> In your test environment, the account is a member of the Enterprise
>> >> Admins
>> >> group (either directly or through a group nesting).
>> >> - You can run an enterprise CA on the Standard, Enteprise, or Data
>> >> Center
>> >> edition SKUs
>> >> - To get full functionality, you need to run on Enterprise or Data
>> >> Center
>> >> SKUs
>> >> Full Functionality includes: issue certs on V2 cert templates, Key
>> >> archival,
>> >> Brian
>> >>
>> >> "Gunna" <Gunna@discussions.microsoft.com> wrote in message
>> >> news:6F2DAA82-E6F9-41E6-B38B-0F5660C14C94@microsoft.com...
>> >> > Thanks Paul but im afraid i am just more confused. Can you answer a
>> >> > question
>> >> > for me becuase I read conflicting things. You can or cannot run
>> >> > Enterprise
>> >> > CA or Enterprise Sub on Standard edition? What the differnece
>> >> > between
>> >> > running Enterprise on a standard servers versus Enteprise edition
>> >> > server?
>> >> >
>> >> >
>> >> > And further to my original post. I am logged onto the member server
>> >> > as
>> >> > a
>> >> > member of the Domain Admin group only but I can see the option to
>> >> > select
>> >> > Enterprise Root or Enterprise Sub. Could I be seeing it becuase the
>> >> > Domain
>> >> > Admins group is a member of the Administrators group in Active
>> >> > Directory?
>> >> >
>> >> >
>> >> > "Paul Adare - MVP" wrote:
>> >> >
>> >> >> On Mon, 1 Sep 2008 20:01:01 -0700, Gunna wrote:
>> >> >>
>> >> >> > I have an issue in Production im trying to solve so I decided to
>> >> >> > replicate
>> >> >> > the setup using Virtual PC. I have my DC up and running, then I
>> >> >> > setup
>> >> >> > a
>> >> >> > member Server running 2003 Server Standard with SP2, this is
>> >> >> > going
>> >> >> > to
>> >> >> > be my
>> >> >> > replica standalone root CA.
>> >> >> >
>> >> >> > The strange thing I get is when I go to setup Certificate
>> >> >> > services
>> >> >> > the
>> >> >> > options for Enterprise CA and Enterpriose subordinate are
>> >> >> > available
>> >> >> > but
>> >> >> > when
>> >> >> > I set this up in production they where greyed out. I assumed
>> >> >> > they
>> >> >> > where not
>> >> >> > available becuase I was running Server standard but here in my
>> >> >> > lab I
>> >> >> > isntalled Standard and the Enterprise options are available. As
>> >> >> > if
>> >> >> > PKI
>> >> >> > wasnt
>> >> >> > confusing enough.
>> >> >>
>> >> >> The account you're logged in with needs to be an Enterprise Admin
>> >> >> account.
>> >> >>
>> >> >> --
>> >> >> Paul Adare
>> >> >> MVP - Identity Lifecycle Manager
>> >> >>
http://www.identit.ca
>> >> >> Your password is pitifully obvious.
>> >> >>
>> >>
>>