RE: [ActiveDir] Certificate Services & AD

[Devan Pala]

Awesome,

Thanks a lot



Original Message Follows
From: "Ken Schaefer" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: 
Subject: RE: [ActiveDir] Certificate Services & AD
Date: Mon, 7 Nov 2005 15:03:41 +1100

Not a web resources, but I've found this MS Press book to be a reasonably
good primer. It covers hardware (to some extent), multiple levels of
hierarchy, developing your certificate policies etc.

http://www.amazon.com/exec/obidos/tg/detail/-/0735620210/
Microsoft Windows Server(TM) 2003 PKI and Certificate Security

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Monday, 7 November 2005 2:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Certificate Services & AD

Can anyone please recommend a good web resource for deploying certificate
services in an Active Directory environment.

I was interested in best practices for CA hierarchy, stand-alone or
enterprise, hardware config. etc.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Certificate Services & AD

[Fugleberg, David A]

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws3pkibp.mspx#EJAA is a 'best practices' guide that
addresses some of this.  It covers some of the high-level decisions, and
then goes through a scenario for a three-tier CA hierarchy that you can
reproduce in a lab.

There are a few errors in the doc that are kind of confusing, and it's
not terribly well organized, but it does contain quite a bit of useful
info.  Let me know if you're interested and I can point out a couple
errors that might save you some time and grief.

There's also an operations guide at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws03pkog.mspx, but I haven't had time to dig through it in
any detail yet.

Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Sunday, November 06, 2005 10:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Certificate Services & AD


Hi all,

Can anyone please recommend a good web resource for deploying
certificate 
services in an Active Directory environment.

I was interested in best practices for CA hierarchy, stand-alone or 
enterprise, hardware config. etc.

Thanks in advance.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Certificate Services & AD

[Ulf B. Simon-Weidner]

Hello Devan,

The book Ken references is pretty good, the author, Brian Komar, did a lot
of PKI-Deployment at major companies across the US and the world, is a
visiting speaker at a lot of conferences like TechEds and is MVP for Windows
Security. His company is specialized in PKI-Deployments.

He also was involved in a lot of stuff available at microsoft.com about the
subject, you'll find a reference to the PKI Whitepapers and KBs at
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

Ulf

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
|Sent: Monday, November 07, 2005 5:00 AM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Certificate Services & AD
|
|Hi all,
|
|Can anyone please recommend a good web resource for deploying 
|certificate services in an Active Directory environment.
|
|I was interested in best practices for CA hierarchy, 
|stand-alone or enterprise, hardware config. etc.
|
|Thanks in advance.
|
|
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Certificate Services & AD

[Ken Schaefer]

Not a web resources, but I've found this MS Press book to be a reasonably
good primer. It covers hardware (to some extent), multiple levels of
hierarchy, developing your certificate policies etc.

http://www.amazon.com/exec/obidos/tg/detail/-/0735620210/
Microsoft Windows Server(TM) 2003 PKI and Certificate Security

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Monday, 7 November 2005 2:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Certificate Services & AD

Can anyone please recommend a good web resource for deploying certificate 
services in an Active Directory environment.

I was interested in best practices for CA hierarchy, stand-alone or 
enterprise, hardware config. etc.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Certificate Services & AD

[Devan Pala]

Hi all,

Can anyone please recommend a good web resource for deploying certificate 
services in an Active Directory environment.


I was interested in best practices for CA hierarchy, stand-alone or 
enterprise, hardware config. etc.


Thanks in advance.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Certificate Services

[Mulnick, Al]

Title: RE: [ActiveDir] Certificate Services



When you issue a certificate, you generally want to control 
it as well. In order to trust the cert, you generally have to have access to the 
certificate store or one of the components to verify the trust hierarchy.  
If the CA is unavailable, then you cannot a) control the certificate if it 
becomes compromised (revoke it) and b) contact a CA for trust hierarchy.  
Since a best practice is to have the root CA offline, you can separate the roles 
of the CA hierarchy or you can have them all on one machine as is the default. 

 
 
Al


From: Celone, Mike 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 2:10 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Certificate Services

Thanks guys.  One question about this line "The client will 
require access to the CA machine if only one machine is hosting all 
functions."  I'm a little confused by this.  The server that the cert 
will be installed on is in a DMZ.  We plan on putting it in our network and 
installing the cert on it and the putting it back in the DMZ.  Client 
accessing this from the internet would not be able to hit the CA then.  
Wouldn't the client be getting the cert from the server in the DMZ instead and 
wouldn't have to talk to the CA.  
Oh and thanks for the link on Technet.  I was looking for 
it before but couldn't find it. 
Mike 
-Original Message- From: John 
Singler [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 20, 2004 1:43 PM To: [EMAIL PROTECTED] Subject: RE: 
[ActiveDir] Certificate Services 
Also, if you don't want to go through the hassle of installing a 
CA you can generate a cert using OpenSSL.  Very easy.  As Al already 
mentioned users will get a popup using this method as well.
Resource:  http://eal.us/blog/_archives/2003/6/2/25109.html  (make 
sure you take note of the section that deals with OWA)
Good luck, 
john 
Mulnick, Al composed the following message @ 01:11 PM 
4/20/2004: >The certificate doesn't do anything about 
authentication from a DC >standpoint 
necessarily.  The DC is still required for authentication of 
>the user credentials as well as authorization 
services.  The >certificate will allow your user 
to encrypt the conversation from the >web client to 
the web server thereby adding a layer of protection to >the conversation from prying eyes (or sniffers as the case may 
be). > >Using your own 
certificate can be done, but often the overhead isn't >worth it.  Allowing a third party to manage the cert is a lot 
easier in >terms of management, reliability, 
hardware, etc.  The client will >require access 
to the CA machine if only one machine is hosting all >functions.  Add to that they will get a popup asking if they 
want to >use this cert since it's not in the cache to 
date.  It's just not as >clean from a user 
interface perspective, but workable if all else is worth it to you. 
> > ><http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx> 
>http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx 
>is a primer for Windows 2000 PKI that may help to explain 
some of the >additional components. > >AL > 
> >-- >From: Celone, Mike [mailto:[EMAIL PROTECTED]] 
>Sent: Tuesday, April 20, 2004 12:00 PM >To: '[EMAIL PROTECTED]' >Subject: [ActiveDir] Certificate Services > >We are looking to add a certificate to 
one of our web servers so we can >do an https session 
over it.  This will be for our users to access OWA >over a secure connection.  Instead of purchasing a certificate 
from >Verisign we would like to put up a CA server 
and use our own >certificates.  Is this the 
common way of doing this?  Once the >certificate 
is issued does the OWA server need to talk to the DC >anymore?  I'm new to all the certificate stuff so any help is 
appreciated! > >Mike 
Celone >Systems Specialist >Radio Frequency Systems >v 203-630-3311 
x1031 >f 203-634-2027 >m 
203-537-2406 > 
List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

RE: [ActiveDir] Certificate Services

[Mulnick, Al]

I may have missed something here, but I read "This tutorial assumes that you
have a Linux box with OpenSSL installed,and that you want to create a
self-signed certificate for IIS5.0" 
As indicating that I would have to setup a CA regardless.  I think what I
was getting at in his case is that he may not want to the overhead of
installing a CA and then managing the certs.  I should think that he can use
Linux, Windows, OS/390, etc to run a CA if he was so inclined. 

Cool step by step though.  I'll have to bookmark that :)

 

-Original Message-
From: John Singler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 20, 2004 1:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Certificate Services

Also, if you don't want to go through the hassle of installing a CA you can
generate a cert using OpenSSL.  Very easy.  As Al already mentioned users
will get a popup using this method as well.

Resource:  http://eal.us/blog/_archives/2003/6/2/25109.html  (make sure you
take note of the section that deals with OWA)

Good luck,

john

Mulnick, Al composed the following message @ 01:11 PM 4/20/2004:
>The certificate doesn't do anything about authentication from a DC 
>standpoint necessarily.  The DC is still required for authentication of 
>the user credentials as well as authorization services.  The 
>certificate will allow your user to encrypt the conversation from the 
>web client to the web server thereby adding a layer of protection to 
>the conversation from prying eyes (or sniffers as the case may be).
>
>Using your own certificate can be done, but often the overhead isn't 
>worth it.  Allowing a third party to manage the cert is a lot easier in 
>terms of management, reliability, hardware, etc.  The client will 
>require access to the CA machine if only one machine is hosting all 
>functions.  Add to that they will get a popup asking if they want to 
>use this cert since it's not in the cache to date.  It's just not as 
>clean from a user interface perspective, but workable if all else is worth
it to you.
>
>
><http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx>
>http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx
>is a primer for Windows 2000 PKI that may help to explain some of the 
>additional components.
>
>AL
>
>
>--
>From: Celone, Mike [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, April 20, 2004 12:00 PM
>To: '[EMAIL PROTECTED]'
>Subject: [ActiveDir] Certificate Services
>
>We are looking to add a certificate to one of our web servers so we can 
>do an https session over it.  This will be for our users to access OWA 
>over a secure connection.  Instead of purchasing a certificate from 
>Verisign we would like to put up a CA server and use our own 
>certificates.  Is this the common way of doing this?  Once the 
>certificate is issued does the OWA server need to talk to the DC 
>anymore?  I'm new to all the certificate stuff so any help is appreciated!
>
>Mike Celone
>Systems Specialist
>Radio Frequency Systems
>v 203-630-3311 x1031
>f 203-634-2027
>m 203-537-2406
>

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Certificate Services

[Celone, Mike]

Title: RE: [ActiveDir] Certificate Services





Thanks guys.  One question about this line "The client will require access to the CA machine if only one machine is hosting all functions."  I'm a little confused by this.  The server that the cert will be installed on is in a DMZ.  We plan on putting it in our network and installing the cert on it and the putting it back in the DMZ.  Client accessing this from the internet would not be able to hit the CA then.  Wouldn't the client be getting the cert from the server in the DMZ instead and wouldn't have to talk to the CA.  

Oh and thanks for the link on Technet.  I was looking for it before but couldn't find it.


Mike 


-Original Message-
From: John Singler [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 20, 2004 1:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Certificate Services


Also, if you don't want to go through the hassle of installing a CA you can generate a cert using OpenSSL.  Very easy.  As Al already mentioned users will get a popup using this method as well.

Resource:  http://eal.us/blog/_archives/2003/6/2/25109.html  (make sure you take note of the section that deals with OWA)

Good luck,


john


Mulnick, Al composed the following message @ 01:11 PM 4/20/2004:
>The certificate doesn't do anything about authentication from a DC 
>standpoint necessarily.  The DC is still required for authentication of 
>the user credentials as well as authorization services.  The 
>certificate will allow your user to encrypt the conversation from the 
>web client to the web server thereby adding a layer of protection to 
>the conversation from prying eyes (or sniffers as the case may be).
>
>Using your own certificate can be done, but often the overhead isn't 
>worth it.  Allowing a third party to manage the cert is a lot easier in 
>terms of management, reliability, hardware, etc.  The client will 
>require access to the CA machine if only one machine is hosting all 
>functions.  Add to that they will get a popup asking if they want to 
>use this cert since it's not in the cache to date.  It's just not as 
>clean from a user interface perspective, but workable if all else is worth it to you.
>
>
><http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx>
>http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx
>is a primer for Windows 2000 PKI that may help to explain some of the 
>additional components.
>
>AL
>
>
>------
>From: Celone, Mike [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, April 20, 2004 12:00 PM
>To: '[EMAIL PROTECTED]'
>Subject: [ActiveDir] Certificate Services
>
>We are looking to add a certificate to one of our web servers so we can 
>do an https session over it.  This will be for our users to access OWA 
>over a secure connection.  Instead of purchasing a certificate from 
>Verisign we would like to put up a CA server and use our own 
>certificates.  Is this the common way of doing this?  Once the 
>certificate is issued does the OWA server need to talk to the DC 
>anymore?  I'm new to all the certificate stuff so any help is appreciated!
>
>Mike Celone
>Systems Specialist
>Radio Frequency Systems
>v 203-630-3311 x1031
>f 203-634-2027
>m 203-537-2406
>


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Certificate Services

[John Singler]

Also, if you don't want to go through the hassle of installing a CA you can 
generate a cert using OpenSSL.  Very easy.  As Al already mentioned users 
will get a popup using this method as well.

Resource:  http://eal.us/blog/_archives/2003/6/2/25109.html  (make sure you 
take note of the section that deals with OWA)

Good luck,

john

Mulnick, Al composed the following message @ 01:11 PM 4/20/2004:
The certificate doesn't do anything about authentication from a DC 
standpoint necessarily.  The DC is still required for authentication of 
the user credentials as well as authorization services.  The certificate 
will allow your user to encrypt the conversation from the web client to 
the web server thereby adding a layer of protection to the conversation 
from prying eyes (or sniffers as the case may be).

Using your own certificate can be done, but often the overhead isn't worth 
it.  Allowing a third party to manage the cert is a lot easier in terms of 
management, reliability, hardware, etc.  The client will require access to 
the CA machine if only one machine is hosting all functions.  Add to that 
they will get a popup asking if they want to use this cert since it's not 
in the cache to date.  It's just not as clean from a user interface 
perspective, but workable if all else is worth it to you.

<http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx>http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx 
is a primer for Windows 2000 PKI that may help to explain some of the 
additional components.

AL

--
From: Celone, Mike [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 20, 2004 12:00 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Certificate Services
We are looking to add a certificate to one of our web servers so we can do 
an https session over it.  This will be for our users to access OWA over a 
secure connection.  Instead of purchasing a certificate from Verisign we 
would like to put up a CA server and use our own certificates.  Is this 
the common way of doing this?  Once the certificate is issued does the OWA 
server need to talk to the DC anymore?  I'm new to all the certificate 
stuff so any help is appreciated!

Mike Celone
Systems Specialist
Radio Frequency Systems
v 203-630-3311 x1031
f 203-634-2027
m 203-537-2406
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Certificate Services

[Mulnick, Al]

The certificate doesn't do anything about authentication 
from a DC standpoint necessarily.  The DC is still required for 
authentication of the user credentials as well as authorization services.  
The certificate will allow your user to encrypt the conversation from the web 
client to the web server thereby adding a layer of protection to the 
conversation from prying eyes (or sniffers as the case may be). 

 
Using your own certificate can be done, but often the 
overhead isn't worth it.  Allowing a third party to manage the cert is a 
lot easier in terms of management, reliability, hardware, etc.  The client 
will require access to the CA machine if only one machine is hosting all 
functions.  Add to that they will get a popup asking if they want to use 
this cert since it's not in the cache to date.  It's just not as clean from 
a user interface perspective, but workable if all else is worth it to 
you.
 
 
http://www.microsoft.com/technet/security/topics/crypto/cryptpki.mspx is 
a primer for Windows 2000 PKI that may help to explain some of the additional 
components.
 
AL


From: Celone, Mike 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 12:00 
PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] 
Certificate Services

We are looking to 
add a certificate to one of our web servers so we can do an https session over 
it.  This will be for our users to access OWA over a secure 
connection.  Instead of purchasing a certificate from Verisign we would 
like to put up a CA server and use our own certificates.  Is this the 
common way of doing this?  Once the certificate is issued does the OWA 
server need to talk to the DC anymore?  I'm new to all the certificate 
stuff so any help is appreciated! 
 
Mike Celone
Systems Specialist
Radio Frequency 
Systems
v 203-630-3311 x1031 
f 203-634-2027
m 203-537-2406
 

[ActiveDir] Certificate Services

[Celone, Mike]

We are looking to 
add a certificate to one of our web servers so we can do an https session over 
it.  This will be for our users to access OWA over a secure 
connection.  Instead of purchasing a certificate from Verisign we would 
like to put up a CA server and use our own certificates.  Is this the 
common way of doing this?  Once the certificate is issued does the OWA 
server need to talk to the DC anymore?  I'm new to all the certificate 
stuff so any help is appreciated! 
 
Mike Celone
Systems Specialist
Radio Frequency 
Systems
v 203-630-3311 x1031 
f 203-634-2027
m 203-537-2406
 


Mike Celone ([EMAIL PROTECTED]) ([EMAIL PROTECTED]).vcf
Description: Binary data

RE: [ActiveDir] Certificate Services (was Active Directory Cookbo ok)

[Myrick, Todd (NIH/CIT)]

I am currently working on a project to deploy Windows 2003 PKI.  

I will do my best to post to my BLOG things I take away from the planning
"Or lack there of", implementation, and operations to show you how we are
going about establishing PKI infrastructure, and integrating both Microsoft
Technology, and third-party technology.

The biggest low hanging fruit Microsoft deployed their PKI for recently was
to support both VPN, and Wireless access to their networks.

Many people get hung up on trying to deploy PKI for E-mail, or Web sites and
get bogged down in organization politics.  It is pretty easy to do.

Windows 2003 PKI has a couple pretty good features that address the Chronic
problems associated with PKI deployments for user certificates, and also
address some of the acute problems associated with certificates for
potential clients of PKI infrastructure.

Specifically:  

Identity Management

Auto enrollment are now features of the OS, not Exchange.

Root CA's can now be Bridge for Bridge CA's so it is easier to create
relationships with outside entities and not have to rely on costly solutions
from the major vendors to give end users certs for signing and encryption.

There is still work to be done when it comes to presenting the path and
location the user is at with in the organization.  

I believe by default Microsoft will put on the certificates the location
within the AD to find the PKI credentials Public keys.  This works well for
internal operations of PKI, but Extranet, and Intranet use of the
credentials should not expose the organizational structure IMHO, and the
directory should be pretty flat.  IE xyz.com  Not
CN=userID,OU=AD,DC=xyz,DC=gov.  More like = CN=UPN,DC=xyz,DC=gov.  I have
not done that much research yet to determine the best way to accomplish
that.

Wireless & VPN improvements

Provisioning PKI credentials for host that don't support or participate in
AD natively has been a challenge.  Remember when I fired up Robbie at DEC.
That is because there is a need for better wireless security, and the
vendors are all trying to be innovative and come up with their own solution
to the problem and write RFC's etc, instead of just working together and
realizing that this solution is nothing more than strategic, and will not be
a revenue generator except to sell existing products.  I believe Cisco and
Microsoft have been working together to make integration between CISCO
hardware and AD much better.  I would like to believe it is because I told
Robbie I was unhappy.  Hehe

Robbie, maybe you can fill in the list on what some of the initiatives are
at play in CISCO related to Windows 2003 PKI.

Delta CRL's  This is a very important development because CRL's could take
time to publish through out the organization if it spanned multiple time
zones.  When you want to stop someone from accessing your network once you
revoke their credentials, DCRL is the way to do it by software.  I am sure
there are hardware solutions.

Hardware Improvements

I also believe the API's and the OS have better support for Security
hardware.  I would love to be able to use memory stick technology to keep my
certs off my user profile, or better yet, export my user profile, and My
Documents to a USB device or smart media.

More to come.

Todd Myrick

 

  

-Original Message-
From: Robbie Allen [mailto:[EMAIL PROTECTED] 
Sent: Saturday, October 25, 2003 2:10 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Certificate Services (was Active Directory Cookbo
ok)

Certificate Services didn't make it into the AD Cookbook, but will in a
future book.  As far as good sources today, it really depends on if you are
talking about Windows 2000 or Windows Server 2003.  There were quite a few
enhancements to Cert Services in 2003.  Here are a few links you may want to
take a look at (links may wrap)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/standard/SE_PKI.asp


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/ws03pkog.asp


http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp


Robbie Allen
http://www.rallenhome.com/


> -Original Message-
> From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 24, 2003 4:18 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Active Directory Cookbook
> 
> 
> Thanks.  I can see I will have some reading to do this weekend.
> 
> Dan
> >  Original Message 
> > Subject: RE: [ActiveDir] Active Directory Cookbook
> > From: [EMAIL PROTECTED]
> > Date: Fri, October 24, 2003 12:57 pm
> > To: [EMAIL PROTECTED]
> > 
> > While not a cookbook per se, I have found this link useful in my
> > understanding of PKI:
> > http://tinyurl.com/s8y1
>

RE: [ActiveDir] Certificate Services (was Active Directory Cookbo ok)

[Robbie Allen]

Certificate Services didn't make it into the AD Cookbook, but will in a
future book.  As far as good sources today, it really depends on if you are
talking about Windows 2000 or Windows Server 2003.  There were quite a few
enhancements to Cert Services in 2003.  Here are a few links you may want to
take a look at (links may wrap)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/standard/SE_PKI.asp


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/ws03pkog.asp


http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp


Robbie Allen
http://www.rallenhome.com/


> -Original Message-
> From: Daniel Gilbert [mailto:[EMAIL PROTECTED] 
> Sent: Friday, October 24, 2003 4:18 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Active Directory Cookbook
> 
> 
> Thanks.  I can see I will have some reading to do this weekend.
> 
> Dan
> >  Original Message 
> > Subject: RE: [ActiveDir] Active Directory Cookbook
> > From: [EMAIL PROTECTED]
> > Date: Fri, October 24, 2003 12:57 pm
> > To: [EMAIL PROTECTED]
> > 
> > While not a cookbook per se, I have found this link useful in my
> > understanding of PKI:
> > http://tinyurl.com/s8y1
> >  
> > HTH
> >  
> >  
> > Sincerely,
> > 
> > Dèjì Akómöláfé, MCSE MCSA MCP+I
> > www.akomolafe.com
> > www.iyaburo.com
> > Do you now realize that Today is the Tomorrow you were worried about
> > Yesterday?  -anon
> > 
> > 
> > 
> > From: [EMAIL PROTECTED] on behalf of Daniel Gilbert
> > Sent: Fri 10/24/2003 11:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Active Directory Cookbook
> > 
> > 
> > 
> > Robbie,
> > 
> > I haven't gotten my copy of your book yet, I know :-(, I 
> waited until just recently to order it.  I looked at the table of contents
but did not
> > see any thing about Certificate Services, is it there and I just missed
it??
> > 
> > If it is not in your book, as the "Master of Cookbooks" can 
> you suggest a good source for learning Certificate Services structure and 
> installing guide.
> > 
> > I am trying to get my head around Certificate Service in order to
> > answer some structure questions.
> > 
> > Dan
> > >  Original Message 
> > > Subject: RE: [ActiveDir] Active Directory Cookbook
> > > From: "Robbie Allen" <[EMAIL PROTECTED]>
> > > Date: Fri, October 24, 2003 9:43 am
> > > To: "'[EMAIL PROTECTED]'" 
> <[EMAIL PROTECTED]>
> > >
> > > Thanks for all of the positive feedback about the book.  
> I give the
> > > credit
> > > to my all-star cast of reviewers :-) 
> > > 
> > > My main goal was to produce a reference that would help AD admins
> > get
> > > their
> > > job done quicker and easier.  There is just too much 
> stuff AD admins
> > > have to
> > > remember and that's why I thought the O'Reilly cookbook 
> format would
> > > work
> > > especially well in this case.
> > > 
> > > If you have the book (or even if you don't), be sure to check out
> > the
> > > following web site, which has all of the code in the book and any
> > > corrections: http://www.rallenhome.com/books/adcookbook/code.html
> > > 
> > > 
> > > Keep the feedback coming
> > > 
> > > Regards,
> > > Robbie Allen
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]
> > >
> > > Sent: Friday, October 24, 2003 11:51 AM
> > > To: [EMAIL PROTECTED]
> > > Cc: [EMAIL PROTECTED]; 
> [EMAIL PROTECTED]
> > > Subject: Re: [ActiveDir] Active Directory Cookbook
> > >
> > >
> > >
> > > Agreed - I got mine yesterday from Amazon and I must say that this
> > > should be
> > > on the shelf of every AD administrator. Period.
> > >
> > > Michael Parent MCSE MCT
> > > Analyst I - Web Services
> > > ITOS - Systems Enablement
> > > Maritime Life Assurance Company
> > > (902) 453-7300 x3456
> > >
> > >
> > >
> > >   "Lou Vega" <[EMAIL PROTECTED]>
> > > Sent by: [EMAIL PROTECTED]
> > >
> > >
> > > 10/24/2003 10:37 AM
> > > Please respond to ActiveDir
> > >
> > >
> > >
> > > To:<[EMAIL PROTECTED]>
> > > cc:
> > > Subject:[ActiveDir] Active Directory Cookbook
> > >
> > >
> > >
> > > Received my very own copy of Mr. Robbie Allen's "Tuna" book last
> > night
> > > from
> > > Amazon.com - in the first night's reading the book is already
> > proving
> > > it's
> > > worth as I see how to do certain things much simpler than 
> I had done
> > > them
> > > before (with regards to the VBScripts included), as well as learn
> > new
> > > things
> > > I didn't realize could be done (in both AD2K and AD2K3). The book
> > will
> > > be
> > > very handy as I continue to stand up my development Windows 2003
> > > domain.
> > >  
> > > To anyone else on this list who hasn't gotten it yet...it's a
> > > worthwhile
> > > addition to your Acti