AD Schema Requirements for Windows PKI features

There have been a number of questions about Active Directory (AD) schema requirements for the Windows PKI features so I decided this deserves a blog post.

Cheat sheet

1. Version 2 and Version 3 certificate templates require Windows Server 2003 (version 30) or later schema. It doesn’t matter if CA that issues them is based on 2003, 2008, or 2008 R2 server.

2. Credential Roaming requires schema that was shipped in Windows Server 2008 (version 34) OR older schema that is extended manually as documented in this white paper.

3. Certificate Enrollment Web Services require schema that was shipped with Windows Server 2008 R2 (version 47).

Frequently Asked Questions

Q: Does Windows 2008 CA require AD schema update?

A: No.

Q: But Brian Komar’s book says it does?

A: Still no. This is simply an error in the book.

Q: Does Windows 2008 R2 CA require AD schema update?

A: No, but see #3 above. If you actually want to use new web services, you need 2008 R2 schema.

 

Alex Radutskiy

Senior Program Manager, Windows Security

Comments

  • Anonymous
    May 26, 2011
    What about if we want to use Online Responders?