AD Schema Requirements for Windows PKI features

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on TECHNET on Dec 04, 2009

There have been a number of questions about Active Directory (AD) schema requirements for the Windows PKI features so I decided this deserves a blog post.

Cheat sheet

1. Version 2 and Version 3 certificate templates require Windows Server 2003 (version 30) or later schema. It doesn’t matter if CA that issues them is based on 2003, 2008, or 2008 R2 server.

2. Credential Roaming requires schema that was shipped in Windows Server 2008 (version 34) OR older schema that is extended manually as documented in this white paper .

3. Certificate Enrollment Web Services require schema that was shipped with Windows Server 2008 R2 (version 47).

Frequently Asked Questions

Q: Does Windows 2008 CA require AD schema update?

A: No.

Q: But Brian Komar’s book says it does?

A: Still no. This is simply an error in the book.

Q: Does Windows 2008 R2 CA require AD schema update?

A: No, but see #3 above. If you actually want to use new web services, you need 2008 R2 schema.

Alex Radutskiy

Senior Program Manager, Windows Security

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.