Appendix A: Directory Objects

Applies To: Windows Server 2003 with SP1

The various PKI-related containers such as CAs, enrollment services, templates, object identifiers (also known as OIDs), AIA, and CRL distribution points are created when you set up the forest for the first time with the first enterprise CA. The permissions on the objects are also set at that time.

Directory objects that are created by an enterprise CA

Installing an enterprise CA creates the following objects:

  • Enrollment Services object (includes CA certificate) – under CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=

  • Trusted root CA object (includes CA certificate) – CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=

  • AIA object (includes CA certificate) – under CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=

  • KRA object (no significantly sized attributes) (Windows Server 2003 only) – under CN=KRA,CN=Public Key Services,CN=Services,CN=Configuration,DC=

  • CRL distribution point container (no significantly sized attributes) – under CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=

  • CRL distribution point object (includes CRL) – under = CN=Computer,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=?

The installation procedure also adds the CA certificate to the following existing object to provide trust for logon and authentication certificates:

  • Trusted Enterprise CA certificates – CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=

Directory Objects That Are Created by the First EnterpriseCA in the Forest

Installing the first enterprise CA in the forest also installs 29 template objects when running a member of the Windows Server 2003 family or 24 template objects when running Windows 2000 in Active Directory under the following container:

CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=

The Windows Server 2003 family adds some additional object identifier containers (also known as OID) to the configuration container. Because object identifiers are not hardcoded in version 2 (V2) templates, object identifier containers are required to work with V2 templates. Only clients running Windows XP and later may resolve object identifiers in Active Directory to friendly names.

CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=

For more information, see article 287547, "Object IDs Associated with Microsoft Cryptography" in the Microsoft Knowledge Base.