Endpoint Security Complete

 View Only

  • 1.  Is AD 2008 Schema *Really* Required for SMM?

    Trusted Advisor
    Posted Mar 22, 2012 12:41 PM

    We have AD 2003, a 2003 CA, and Altiris 7.1SP2 with SMM 7.1SP1 installed.  We plan on setting up a SCEP server on 2008R2 Enterprise and we've seen conflicting information as to whether or not we need to extend our AD schema to 2008. 

    Clearly this shouldn't be done unless necessary so can anyone confirm this?  If so, our AD guys would like to know what, specifically, is AD 2008 schema required for?

     

    Edited:  Typo



  • 2.  RE: Is AD 2008 Schema *Really* Required for SMM?

    Posted Mar 26, 2012 06:25 AM

    Hi there,

    you could use a windows 2008R2 ent. SCEP with a windows 2003 CA.. that´s for sure!

    Keep in mind, that based on restrictions in this combination (by microsoft) you are only enabled to use the

    standard SCEP-templates (must be IPSECIntermediateOffline).. it is being said, that this should be working with other templates as well but I haven´t found out yet by what means this is going to be accomplished!

     

    regards

    henning



  • 3.  RE: Is AD 2008 Schema *Really* Required for SMM?
    Best Answer

    Posted Mar 26, 2012 06:53 AM

    I do not see an issue to work together with the CA 2003 even your SCEP is on 2008R2.
    I expect difficulties to enroll the necessary roles to your SCEP if your AD is a 2003 and do not provide a 2008 schema. You might get something like:

    The Certificate Enrollment Web Service or Certificate Enrollment Policy Web Service must be installed on a member server in an Active Directory forest in which the Windows Server 2008 R2 version of ADPrep /forestprep has been successfully run.



  • 4.  RE: Is AD 2008 Schema *Really* Required for SMM?

    Trusted Advisor
    Posted Mar 26, 2012 11:46 AM

    This is the info that my AD guys were looking for.  Thanks!  (Symantec support actually told me to go ask Microsoft smiley )