Certificate Templates Replication

Certificate Templates Replication

Although they’ve been around for a while, certificates are a relatively new thing for administrators to have to deal with. Configuration Manager in Native Mode heavily relies upon them.

Certificate Template Replication

id=”attachment_29″ align=”alignright” width=”382″ caption=”Certificate Authority MMC Snap-In”

Although technically not required for Configuration Manager, the only documented way (http://technet.microsoft.com/en-us/library/bb694035(TechNet.10).aspx) to create and support ConfigMgr in Native Mode is with a Microsoft Enterprise Certificate Authority (CA) running on Windows Enterprise. Notice the use of the word “Enterprise” twice. The first occurrence indicates a CA integrated with Active Directory. An Enterprise CA enables auto-enrollment via group-policies, AD based CRL publishing, and certificate template use. The second occurrence of “Enterprise” indicates that the CA must be installed on Windows Server Enterprise (2003 or 2008). This enables you to use customize certificate templates. Although you can create certificate templates on standard versions of Windows, you cannot actually use them.

Certificate templates will make your life much easier — they let you customize certificates that are issued by your certificate authority. Creating the certificate templates for ConfigMgr is straight-forward when you follow the guide above — note that this guide is for a Windows 2003 based CA, Microsoft has a draft document for using a Windows 2008 CA but it is not generally available yet (http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/06/30/having-problems-deploying-the-certificates-for-native-mode-with-a-windows-server-2008-ca.aspx). I’m using this draft guide right now and its works well.

One slight hiccup that you might encounter is that when you create a new certificate template, it is not immediately available when you click on New->Certificate Template to Issue. Many troubleshooting guides recommend that you ensure that you are running on Windows Enterprise. They neglect to mention that the template must first replicate to every DC in your forest before it is available. For smaller forests, no big deal. For larger ones, this will cause you a delay that may have you pulling your hair out if you don’t know what’s going on.

DNS Zone Replication

Next Article

DNS Zone Replication

No Comments

Cancel