If you are using SSL, and want to use CA Identity Manager to manage a child-domain, you must establish permissions within Active Directory so that the child-domain can refer to the Certificate Authority that is defined on the parent domain. This is required if you are using an Enterprise Certificate Authority.
Please refer to the following Microsoft articles for further instructions on this:
Note: Confirm that your DNS configuration is correct. From both the parent and the child, you should be able to ping the other and receive back the correct IP address. Likewise, you should be able to run an 'nslookup' command on the IP address and receive back the correct fully-resolved name of the other.
If you are using SSL, and experience errors when you attempt to manage a child domain, you can use the standalone ADSLDAPDiag utility to connect to the child domain. ADSLDAPDiag is located in the bin folder of the C++ Connector Server installation. For example:
C:\Program Files\CA\Identity Manager\Provisioning Server\bin
Note: ADSLDAPDiag should be run on the same machine as the C++ Connector Server. If ADSLDAPDiag fails, this indicates that the CA Identity Manager-errors are due to an SSL problem with the child domain (the syntax of ADSLDAPDiag is: ADSLDAPDiag fully_qualified_name_of_the_ADS_server).
Important! If your Certificate Authority is installed on a Windows 2003 server, auto-enrollment for the child domain needs to be working properly before a proper trust relationship can be established between the parent and child domains.
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |