If you are installing a Windows 2003 PKI in a Windows Server 2003 Active Directory environment, no modifications are required to allow installation because Active Directory is already configured with the Windows Server 2003 schema. Likewise, each domain in the forest already has the domain additions applied to each domain in the forest.
Modification of the Cert Publishers groups is the only modification required in a multidomain Windows Server 2003 forest environment. In a Windows Server 2003 forest, the Cert Publishers group is a domain local group that exists in each domain in the forest.
To allow any enterprise CA in the forest to publish certificates to any user object in the current forest or to Contact objects in foreign forests, you must add the enterprise CA's computer account to the membership of each domain's Cert Publishers group. Because the scope of the Cert Publishers group is changed from a global group to a domain local group, the membership can now contain computer accounts from outside the domain where the Cert Publishers group resides.
Tip To use this script in your environment, simply modify the domain names to match the domain names in your forest. You must assign permissions to the domain and the AdminSDHolder container for each domain in your forest.
Note A Windows Server 2003 PKI has no requirements for a domain functional level or forest functional level.
Note If the forest was previously modified to add either an enterprise Cert Publishers universal group or individual Cert Publishers group entries to the domain and AdminSDHolder container, these extraneous entries should be removed once all domains are upgraded to Windows Server 2003 domains—that is, once every domain controller in the domain is running Windows Server 2003.
Was this article helpful?