dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
727

exocet_cm
Writing
Premium Member
join:2003-03-23
Brooklyn, NY

1 edit

exocet_cm

Premium Member

[Windows] 2K8 R2 certificates, EFS, and CA question

1: CA and subordinate CA. I have my sub-CA handling all cert requests for my domain and remote sites. On rare occasions, an auto-enroll cert might get issued by my root CA. For management and security sake, I'd like to have everything issued by my sub-ca.
Should I
•Disable certificate services on my root CA?
•Remove all certificates from issuance on the root CA (CA still running but with no certs to issue)?

2: EFS certificates and DFS. I know it isn't supported but on my test clients, when they first encrypt a file, the pull the "Basic EFS" certificate from my sub-CA and the file gets encrypted using the certificate issued by the sub-CA.
The first time the encrypted file is put into a redirected folder with offline files support (a folder residing on a DFS share), the DFS server that they are connected to requests a second EFS certificate on behalf of that user. The file is now encrypted using a second EFS certificate. How can I get around this? I've revoked about 6 EFS certificate last night during my testing because the DFS server keeps requesting a cert on behalf of the user. It's a PITA. I'll mention that the test client is only hitting the primary DFS server. The other three aren't able to be connected to from the client (target referral disabled).

3: Under certificate manger, current user, "Active Directory User Object", what is this store for? I've noticed that the server(s) that request an EFS cert for the user have the cert in this certificate store. Does this store act as a "roaming profile" location for domain users certs?
If so, can I pre-populate this store with user certs? Would placing an EFS cert in this store allow the use to decrypt their EFS files from any computer they log in to?
As an aside, is there a way to view the properties of this store from the DC side via ADUC advanced properties?