Microsoft CA's & DNS entries

Important lesson on implementing Microsoft CA and autoenroll. Make sure your primary dns suffix and such is set to your CA's domain. We had broken out our workstations to be register in their campus locations for dns such as workstationa.mydomain.org. Yeah, not so good when you setup auto enroll on your CA. After following guides from http://www.kurtdillard.com/StudyGuides/70-640/6.html and http://security-24-7.com/windows-2008-r2-certification-authority-installation-guide/, I got a sub CA with hidden root running. Lesson learned for future designs of networks. Always, Always, Always buy enterprise server licenses for your CA. Anyhow the registration entries errors on both the CA and client would give a DNS entry not found error (sorry, not rdp'd into pull the exact language). We've since modified our GPO to have the primary dns suffix be only mydomain.org. auto-enroll is working great now.

Next up is how to get an iPad with a workstation cert. following a few of the guides. will let you know.