Cert Publishers scope changed from Global to Domain Local in Windows Server 2003

When you create a new domain installing Windows Server 2003 as a first DC, Cert Publishers group is created�as a Domain Local group. However, in domains which have been created as Windows 2000 domains and later been upgraded to Windows 2003, Cert Publishers group is a Global group.
Note the following:
- in Windows 2000 domains, Cert Publishers group has a Global scope
- in domains that have been initially installed as a Windows 2000 domains (that is, the first DC installed for the domain was a Windows 2000 DC) and later upgraded to Windows 2003, the group scope does not change and remains Global
- in domains that have been ininitally installed as a Windows 2003 domains (that is, the first DC installed for the domain was a Windows Server 2003 DC), the group scope is Domain Local

Initially, the Cert Publishers group was designed as a Global group. Howewer, such design has resulted in several issues appearing when the only certification authority (CA) is used in a multi-domain environment. These issues are described in Knowledge Base articles referenced below.

The behavior is by design.

Cert Publishers� is a special group that�is created automatically when a new Active Directory domain is installed. This group is granted permission in it's own domain tthat allow its members to publish certificates for user objects in Active Directory. When a certification authority (CA) is installed in a domain, it is automatically added to the Cert Publishers group of that domain.
In Windows 2000, Cert Publishers group was created as a Global group. Such design required some additional configuration in order to allow certificates to be published in a trusted domain environment where users requesting certificates and CA issuing them are located in different domains. Since Cert Publishers group is only given permissions in its own domain, when a user from another trusted domain requests a certificate, the CA that is issuing it will not be able to publish that certificate because it does not have permissioins to modify appropriate property of the user object in a trusted domain. Such scenarios required an additional manual configuration described in the following KB articles:
�
�� 281271�Windows 2000 Certification Authority Configuration to Publish Certificates in Active Directory of Trusted Domain
�� 219059�Enterprise CA May Not Publish Certificates from Child Domain or Trusted Domain
�� 300532 Windows 2000 Enterprise CAs Not Added to Certificate Publishers Group in Windows Server 2003 Domain

In Windows 2003, Cert Publishers group is created with Domain Local scope. Since objects from other domains can be added to a group with Domain Local scope, additional configuration referenced above is no longer required. You can now add the computer account of the certification authority (CA) into the Cert Publishers group of any trusted domain, and that will grant the certification authority permissions to publish certificates for users in that domain.

Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.