AD Schema Requirements for Windows PKI features

First published on TECHNET on Dec 04, 2009

There have been a number of questions about (AD) schema requirements for the Windows PKI features so I decided this deserves a blog post.

Cheat sheet

1. Version 2 and Version 3 templates require 2003 (version 30) or later schema. It doesn't matter if CA that issues them is based on 2003, 2008, or 2008 R2 server.

2. Credential Roaming requires schema that was shipped in 2008 (version 34) OR older schema that is extended manually as documented in this white paper .

3. Certificate Enrollment Web Services require schema that was shipped with 2008 R2 (version 47).

Frequently Asked Questions

Q: Does Windows 2008 CA require AD schema update?

A: No.

Q: But Brian Komar's book says it does?

A: Still no. This is simply an error in the book.

Q: Does Windows 2008 R2 CA require AD schema update?

A: No, but see #3 above. If you actually want to use new web services, you need 2008 R2 schema.

Alex Radutskiy

Senior Program Manager, Windows Security


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.