Retired Microsoft Blog disclaimer

This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.
Original URL: https://blogs.technet.microsoft.com/pki/2009/12/04/ad-schema-requirements-for-windows-pki-features/
Post name: AD Schema Requirements for Windows PKI features
Original author: Alex Radutskiy [MSFT]
Posting date: 2009-12-04T09:00:07+00:00


There have been a number of questions about Active Directory (AD) schema requirements for the Windows PKI features so I decided this deserves a blog post.

Cheat sheet

1. Version 2 and Version 3 certificate templates require Windows Server 2003 (version 30) or later schema. It doesn’t matter if CA that issues them is based on 2003, 2008, or 2008 R2 server.

2. Credential Roaming requires schema that was shipped in Windows Server 2008 (version 34) OR older schema that is extended manually as documented in this white paper.

3. Certificate Enrollment Web Services require schema that was shipped with Windows Server 2008 R2 (version 47).

Frequently Asked Questions

Q: Does Windows 2008 CA require AD schema update?

A: No.

Q: But Brian Komar’s book says it does?

A: Still no. This is simply an error in the book.

Q: Does Windows 2008 R2 CA require AD schema update?

A: No, but see #3 above. If you actually want to use new web services, you need 2008 R2 schema.

 

Alex Radutskiy

Senior Program Manager, Windows Security


Share this article:

Comments:

Comments are closed.