| Author |
Message |
Rob McShinsky
Guest
|
 Posted:
Thu Jan 06, 2005 8:23 pm Post subject:
Changing Global Group to Domain Local Group. |
|
|
In my Windows 2000 domain (native mode), that is almost completly upgraded
to Windows 2003 I want to change my Cert Publishers group from a Global
Group to a Domain Local Group. If you install 2003 from scratch and make it
a domain controller this group is a Domain Local Group even if you are in
Windows 2000 native mode. Currently the ability to switch this group is
greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the Root
domain. All users and computer objects are in the child domain. So unless
I can put the CA computer object that is in the root domain in the Child
domain Cert Publishers group, the certificates issued to users in the child
domain do not work. If the Cert publishers group is a Domain Local group I
can easily see the CA server in the Root Domain and can add it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered forest?
Thanks
Rob McShinsky |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Fri Jan 07, 2005 6:10 am Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
I have never had to deal with that but see if the info in the link below is
helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
| Quote: | In my Windows 2000 domain (native mode), that is almost completly upgraded
to Windows 2003 I want to change my Cert Publishers group from a Global
Group to a Domain Local Group. If you install 2003 from scratch and make
it a domain controller this group is a Domain Local Group even if you are
in Windows 2000 native mode. Currently the ability to switch this group
is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the Root
domain. All users and computer objects are in the child domain. So
unless I can put the CA computer object that is in the root domain in the
Child domain Cert Publishers group, the certificates issued to users in
the child domain do not work. If the Cert publishers group is a Domain
Local group I can easily see the CA server in the Root Domain and can add
it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Jan 07, 2005 6:31 am Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
| Quote: | I have never had to deal with that but see if the info in the link below is
helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group from a
Global Group to a Domain Local Group. If you install 2003 from scratch
and make it a domain controller this group is a Domain Local Group even
if you are in Windows 2000 native mode. Currently the ability to switch
this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the Root
domain. All users and computer objects are in the child domain. So
unless I can put the CA computer object that is in the root domain in the
Child domain Cert Publishers group, the certificates issued to users in
the child domain do not work. If the Cert publishers group is a Domain
Local group I can easily see the CA server in the Root Domain and can add
it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Fri Jan 07, 2005 9:49 am Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
Except that he indicated he can not change it from global group. --- Steve
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crkl8102dfm@news3.newsguy.com...
| Quote: | change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
I have never had to deal with that but see if the info in the link below
is helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group from
a Global Group to a Domain Local Group. If you install 2003 from
scratch and make it a domain controller this group is a Domain Local
Group even if you are in Windows 2000 native mode. Currently the
ability to switch this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the Root
domain. All users and computer objects are in the child domain. So
unless I can put the CA computer object that is in the root domain in
the Child domain Cert Publishers group, the certificates issued to users
in the child domain do not work. If the Cert publishers group is a
Domain Local group I can easily see the CA server in the Root Domain and
can add it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Fri Jan 07, 2005 3:31 pm Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
| Quote: | Except that he indicated he can not change it from global group. ---
Steve
|
That is were I got stuck also . . .
--
Roger
| Quote: |
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crkl8102dfm@news3.newsguy.com...
change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
I have never had to deal with that but see if the info in the link below
is helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group
from
a Global Group to a Domain Local Group. If you install 2003 from
scratch and make it a domain controller this group is a Domain Local
Group even if you are in Windows 2000 native mode. Currently the
ability to switch this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the Root
domain. All users and computer objects are in the child domain. So
unless I can put the CA computer object that is in the root domain in
the Child domain Cert Publishers group, the certificates issued to
users
in the child domain do not work. If the Cert publishers group is a
Domain Local group I can easily see the CA server in the Root Domain
and
can add it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Shiny Bob
Guest
|
| Posted:
Fri Jan 07, 2005 5:28 pm Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
he cannot change it from global to local - no mention of universal .
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
| Quote: | Except that he indicated he can not change it from global group. ---
Steve
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crkl8102dfm@news3.newsguy.com...
change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
I have never had to deal with that but see if the info in the link below
is helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group from
a Global Group to a Domain Local Group. If you install 2003 from
scratch and make it a domain controller this group is a Domain Local
Group even if you are in Windows 2000 native mode. Currently the
ability to switch this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the Root
domain. All users and computer objects are in the child domain. So
unless I can put the CA computer object that is in the root domain in
the Child domain Cert Publishers group, the certificates issued to
users in the child domain do not work. If the Cert publishers group is
a Domain Local group I can easily see the CA server in the Root Domain
and can add it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Rob McShinsky
Guest
|
| Posted:
Fri Jan 07, 2005 9:16 pm Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
Sorry for the lack of detail. Unable to change to any group type. All
options are greyed.
"Shiny Bob" <parris@newsguy.com> wrote in message
news:crlrpm02f4s@news3.newsguy.com...
| Quote: | he cannot change it from global to local - no mention of universal .
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
Except that he indicated he can not change it from global group. ---
Steve
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crkl8102dfm@news3.newsguy.com...
change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
I have never had to deal with that but see if the info in the link below
is helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group
from a Global Group to a Domain Local Group. If you install 2003 from
scratch and make it a domain controller this group is a Domain Local
Group even if you are in Windows 2000 native mode. Currently the
ability to switch this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the Root
domain. All users and computer objects are in the child domain. So
unless I can put the CA computer object that is in the root domain in
the Child domain Cert Publishers group, the certificates issued to
users in the child domain do not work. If the Cert publishers group
is a Domain Local group I can easily see the CA server in the Root
Domain and can add it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Fri Jan 07, 2005 11:02 pm Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
Did you try the recommendation in KB281271?? It basically uses delegation,
and dsacls to give parent domain CA permissions in the child domain? --
Steve
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:eTTibvM9EHA.3320@TK2MSFTNGP10.phx.gbl...
| Quote: | Sorry for the lack of detail. Unable to change to any group type. All
options are greyed.
"Shiny Bob" <parris@newsguy.com> wrote in message
news:crlrpm02f4s@news3.newsguy.com...
he cannot change it from global to local - no mention of universal .
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
Except that he indicated he can not change it from global group. ---
Steve
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crkl8102dfm@news3.newsguy.com...
change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
I have never had to deal with that but see if the info in the link
below is helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group
from a Global Group to a Domain Local Group. If you install 2003
from scratch and make it a domain controller this group is a Domain
Local Group even if you are in Windows 2000 native mode. Currently
the ability to switch this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the
Root domain. All users and computer objects are in the child domain.
So unless I can put the CA computer object that is in the root domain
in the Child domain Cert Publishers group, the certificates issued to
users in the child domain do not work. If the Cert publishers group
is a Domain Local group I can easily see the CA server in the Root
Domain and can add it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Rob McShinsky
Guest
|
| Posted:
Sat Jan 08, 2005 3:02 am Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
Yes I did. I am however still getting errors when my domain controllers try
to autoenroll DC certs. It is giving a privilege denied message. Listed
below.
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 80
Date: 1/6/2005
Time: 11:12:33 AM
User: N/A
Computer: ZDHT02
Description:
Certificate Services could not publish a Certificate for request 16 to the
following location on server dh325.dhmcmaster.dh.hitchcock.org:
CN=DH325,OU=Domain Controllers,DC=dhmcmaster,DC=dh,DC=hitchcock,DC=org.
Insufficient access rights to perform the operation. 0x80072098 (WIN32:
8344).
ldap: 0x32: 00002098: SecErr: DSID-031509EE, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uU0cbqN9EHA.1300@TK2MSFTNGP14.phx.gbl...
| Quote: | Did you try the recommendation in KB281271?? It basically uses delegation,
and dsacls to give parent domain CA permissions in the child domain? --
Steve
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:eTTibvM9EHA.3320@TK2MSFTNGP10.phx.gbl...
Sorry for the lack of detail. Unable to change to any group type. All
options are greyed.
"Shiny Bob" <parris@newsguy.com> wrote in message
news:crlrpm02f4s@news3.newsguy.com...
he cannot change it from global to local - no mention of universal .
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
Except that he indicated he can not change it from global group. ---
Steve
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crkl8102dfm@news3.newsguy.com...
change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
I have never had to deal with that but see if the info in the link
below is helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group
from a Global Group to a Domain Local Group. If you install 2003
from scratch and make it a domain controller this group is a Domain
Local Group even if you are in Windows 2000 native mode. Currently
the ability to switch this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the
Root domain. All users and computer objects are in the child
domain. So unless I can put the CA computer object that is in the
root domain in the Child domain Cert Publishers group, the
certificates issued to users in the child domain do not work. If
the Cert publishers group is a Domain Local group I can easily see
the CA server in the Root Domain and can add it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sat Jan 08, 2005 11:57 pm Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
I would check the template for that certificate to make sure that the domain
controllers from the child domain have read/enroll/autoenroll
permissions. --- Steve
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:umAl8wP9EHA.1292@TK2MSFTNGP10.phx.gbl...
| Quote: | Yes I did. I am however still getting errors when my domain controllers
try to autoenroll DC certs. It is giving a privilege denied message.
Listed below.
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 80
Date: 1/6/2005
Time: 11:12:33 AM
User: N/A
Computer: ZDHT02
Description:
Certificate Services could not publish a Certificate for request 16 to the
following location on server dh325.dhmcmaster.dh.hitchcock.org:
CN=DH325,OU=Domain Controllers,DC=dhmcmaster,DC=dh,DC=hitchcock,DC=org.
Insufficient access rights to perform the operation. 0x80072098 (WIN32:
8344).
ldap: 0x32: 00002098: SecErr: DSID-031509EE, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uU0cbqN9EHA.1300@TK2MSFTNGP14.phx.gbl...
Did you try the recommendation in KB281271?? It basically uses
delegation, and dsacls to give parent domain CA permissions in the child
domain? -- Steve
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:eTTibvM9EHA.3320@TK2MSFTNGP10.phx.gbl...
Sorry for the lack of detail. Unable to change to any group type. All
options are greyed.
"Shiny Bob" <parris@newsguy.com> wrote in message
news:crlrpm02f4s@news3.newsguy.com...
he cannot change it from global to local - no mention of universal .
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
Except that he indicated he can not change it from global group. ---
Steve
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crkl8102dfm@news3.newsguy.com...
change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
I have never had to deal with that but see if the info in the link
below is helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group
from a Global Group to a Domain Local Group. If you install 2003
from scratch and make it a domain controller this group is a Domain
Local Group even if you are in Windows 2000 native mode. Currently
the ability to switch this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the
Root domain. All users and computer objects are in the child
domain. So unless I can put the CA computer object that is in the
root domain in the Child domain Cert Publishers group, the
certificates issued to users in the child domain do not work. If
the Cert publishers group is a Domain Local group I can easily see
the CA server in the Root Domain and can add it correctly.
Does anyone have any experience with 2-tiered CA's within a
2-tiered forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Guest
|
| Posted:
Mon Jan 10, 2005 2:21 pm Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
one other question - Is the group empty ? If you have nested groups then you
often can't due to the AGDLP rule.
Mark
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:eTTibvM9EHA.3320@TK2MSFTNGP10.phx.gbl...
| Quote: | Sorry for the lack of detail. Unable to change to any group type. All
options are greyed.
"Shiny Bob" <parris@newsguy.com> wrote in message
news:crlrpm02f4s@news3.newsguy.com...
he cannot change it from global to local - no mention of universal .
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
Except that he indicated he can not change it from global group. ---
Steve
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crkl8102dfm@news3.newsguy.com...
change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
I have never had to deal with that but see if the info in the link
below is helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group
from a Global Group to a Domain Local Group. If you install 2003
from scratch and make it a domain controller this group is a Domain
Local Group even if you are in Windows 2000 native mode. Currently
the ability to switch this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the
Root domain. All users and computer objects are in the child domain.
So unless I can put the CA computer object that is in the root domain
in the Child domain Cert Publishers group, the certificates issued to
users in the child domain do not work. If the Cert publishers group
is a Domain Local group I can easily see the CA server in the Root
Domain and can add it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Jan 11, 2005 12:57 am Post subject:
Re: Changing Global Group to Domain Local Group. |
|
|
This is the way the Cert Publishers group is configured in Windows 2000 and
can not be changed. They did change it in Windows 2003. Normally, as your
refer to, you can change group scope in a native mode domain. --- Steve
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crtdtg0105l@news3.newsguy.com...
| Quote: | one other question - Is the group empty ? If you have nested groups then
you often can't due to the AGDLP rule.
Mark
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:eTTibvM9EHA.3320@TK2MSFTNGP10.phx.gbl...
Sorry for the lack of detail. Unable to change to any group type. All
options are greyed.
"Shiny Bob" <parris@newsguy.com> wrote in message
news:crlrpm02f4s@news3.newsguy.com...
he cannot change it from global to local - no mention of universal .
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
Except that he indicated he can not change it from global group. ---
Steve
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:crkl8102dfm@news3.newsguy.com...
change it to universal come out of group
go back into group and change it to a DL Group.
Mark
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
I have never had to deal with that but see if the info in the link
below is helpful. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
"Rob McShinsky" <List@mcshinsky.com> wrote in message
news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
In my Windows 2000 domain (native mode), that is almost completly
upgraded to Windows 2003 I want to change my Cert Publishers group
from a Global Group to a Domain Local Group. If you install 2003
from scratch and make it a domain controller this group is a Domain
Local Group even if you are in Windows 2000 native mode. Currently
the ability to switch this group is greyed out.
The reasoning behind this is we are building a 2-tiered Certificate
Authority structure with the Issuing Certificate Authority in the
Root domain. All users and computer objects are in the child
domain. So unless I can put the CA computer object that is in the
root domain in the Child domain Cert Publishers group, the
certificates issued to users in the child domain do not work. If
the Cert publishers group is a Domain Local group I can easily see
the CA server in the Root Domain and can add it correctly.
Does anyone have any experience with 2-tiered CA's within a 2-tiered
forest?
Thanks
Rob McShinsky
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in