Configuring Security

Integration with Windows 2000

In Exchange 2000, KMS uses many benefits of the Windows 2000 operating system. In particular, KMS uses Windows 2000 Server Certificate Services as its CA. The Windows 2000 operating system handles certificate issuance and revocation, as well as CTL maintenance.

Note   For compatibility with Outlook 97 and earlier clients, KMS will continue to issue X.509v1 certificates.

A new benefit of Certificate Services is that KMS can now use any Certificate Services server in your organization. If one server is busy, KMS can enroll a user through another. Although KMS has to use Certificate Services as its CA, Certificate Services can be configured as a subordinate of any third-party CA.

Note   You cannot install KMS until you install Certificate Services.

Another Windows 2000 feature utilized by KMS are Group Policy objects. Essentially, administrators create a Group Policy object to define desktop settings across a large number of computers. All Windows 2000 Certificate Services servers are trusted throughout your organization because of a CTL published to Windows 2000 Active Directory by your domain controller's Group Policy object. Windows 2000 workstations and servers download this information at regular intervals.

Note   Active Directory provides several additional advantages for KMS, including the ability to enroll users in Advanced Security by user or by specific groups. Per-user security functions can also be configured. Active Directory provides administrative flexibility to KMS.