New AD features in Windows Server 2008 R2
My three favorites are:
Cross-forest certificate autoenrollment
Makes it possible to share a CA server between multiple forests, will work for XP/2003 clients and later OS's.
HTTP certificate enrollment
This is effectively a reverse-proxy enrollment feature via HTTP, can also be configured to only allow renewals via HTTP while maintaining the old enrollment behaviour internally.
This is however a Windows 7-client only feature.
AD Recycle Bin
Gone are the days of panic authoritative restores because someone just deleted your main OU, with W2k8 R2 comes the ability to undo that change before the objects are permanently deleted.
Changes to existing components:
V3 certificate templates for Standard Edition
You won't need the Enterprise Edition to be able to edit your certificate templates anymore, you will however need it for Cross-forest enrollment still.
...more to come.
Active Directory Certificate Services Overview [lists the differences between the SKU's for ADCS]
http://technet.microsoft.com/en-us/library/cc755071.aspx
Comments
Anonymous
January 01, 2003
PingBack from http://www.windowsaffinity.com/?p=1952Anonymous
January 01, 2003
If you're looking for information about pre-W2k8 R2 and cross-forest CA implementations, tryhttp://support.microsoft.com/kb/961298/EN-US. For W2k8R2 and Win7, try http://www.microsoft.com/downloads/details.aspx?familyid=D408BE72-7C74-4B19-A2DE-FA11858C30B2&displaylang=en orhttp://download.microsoft.com/download/F/2/1/F2146213-4AC0-4C50-B69A-12428FF0B077/Windows_Vista_PKI_Enhancement_in_Windows_7_and_Windows_Server_2008_R2. A generic search on http://www.bing.com/search?q=cross-forest+enrollment&src=IE-SearchBox&FORM=IE8SRC also has some good links.Anonymous
February 08, 2010
Hello, I am currently working on implementing cross-forest CA, and am having some permissions errors when enrolling. Unfortunately, I haven't found any good information on how to effectively troubleshoot the issue. Any suggestions? Thanks!