Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Enterprise CA placement
Enterprise CA placement [message #157108] Tue, 30 June 2009 13:35 Go to next message
study  is currently offline study
Messages: 13
Registered: June 2009
Junior Member
Hello
We currently have a single 2003 active directory forest with one root empty
domain and 2 child domains.
We are going to create an offline standalone root CA (on a workgroup server)
then one issuing Enterprise CA (on a DC).

My question is,
1. which domain should we install the Enterprise CA on?
The issuing CA would be servicing all 3 domains. Can we install on one of
the child domain DCs or does it need to be on the root domain DC?

2. if we install 2 issuing CAs by installing CA on 2 different DCs, does it
provide redundancy in case one fails?
RE: Enterprise CA placement [message #157111 is a reply to message #157108] Tue, 30 June 2009 14:28 Go to previous messageGo to next message
WildPacket  is currently offline WildPacket
Messages: 130
Registered: July 2009
Senior Member
Why put a CA on a DC??? It is recommended on a member server..



"study" wrote:

> Hello
> We currently have a single 2003 active directory forest with one root empty
> domain and 2 child domains.
> We are going to create an offline standalone root CA (on a workgroup server)
> then one issuing Enterprise CA (on a DC).
>
> My question is,
> 1. which domain should we install the Enterprise CA on?
> The issuing CA would be servicing all 3 domains. Can we install on one of
> the child domain DCs or does it need to be on the root domain DC?
>
> 2. if we install 2 issuing CAs by installing CA on 2 different DCs, does it
> provide redundancy in case one fails?
>
>
>
Re: Enterprise CA placement [message #157121 is a reply to message #157108] Tue, 30 June 2009 21:40 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
In news:0DE7FF1F-2B1D-4E7C-A515-84BBA9A2B4D8@microsoft.com,
study <study@discussions.microsoft.com>, posted the following, which I replied to down below...: Hello study
> Hello
> We currently have a single 2003 active directory forest with one root
> empty domain and 2 child domains.
> We are going to create an offline standalone root CA (on a workgroup
> server) then one issuing Enterprise CA (on a DC).
>
> My question is,
> 1. which domain should we install the Enterprise CA on?
> The issuing CA would be servicing all 3 domains. Can we install on
> one of the child domain DCs or does it need to be on the root domain
> DC?
>
> 2. if we install 2 issuing CAs by installing CA on 2 different DCs,
> does it provide redundancy in case one fails?

As WildPacket recommended, do not install it on a DC. You will complicate matters concerning the DC and the CA Root. Put it on a member server.

I would install it as a member server under the forest root domain.

No, as far as redundancy. Install it as an enterprise root, then create subordinate issuing roots under the CA root. Take the root offline. Bring it up to update it once in awhile. This way the root cannot be compromised.

Here are some of my links on it:

==========================
Certificate Authority

Here are some articles on how to set up Microsoft CA's and deploy certificates to users.

Best Practices for Implementing a Microsoft Windows Server2003 Public Key Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx

Implementing and Administering Certificate Templates in Windows Server 2003
http://technet.microsoft.com/en-us/library/cc783016.aspx

PKI Enhancements in Windows XP Professional and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx

Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx

Managing a Windows Server 2003 Public Key Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx

Advanced Certificate Enrollment and Management
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx

Certificate Autoenrollment in Windows Server 2003:
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/autoenro.mspx

Selecting Certificate Templates Public Key (need enterprise to make autoenrollment work):
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/library/DepKit/c71d2cd3-82ef-4e3c-8746-1340d0ef4e9a.mspx

Configure a certificate template for client autoenrollment:
http://technet2.microsoft.com/WindowsServer/en/Library/47f1c 981-7c04-48b0-a697-56db5ba00a8e1033.mspx

Problems Installing Certificate Services After You Apply the Q323172 Patch:
http://support.microsoft.com/default.aspx?scid=kb;en-us;328595

Certificate Services Operations Guide- Certificate Services Operations:
http://www.microsoft.com/technet/itsolutions/wssra/raguide/C ertificateServices/CrtSevcOG_2.mspx

The Secure Access Using Smart Cards Planning Guide - Chapter 3 - Using Smart Cards to Help Secure Administrator Accounts:
http://www.microsoft.com/technet/security/topics/networksecu rity/securesmartcards/scpgch03.mspx
==========================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Re: Enterprise CA placement [message #157187 is a reply to message #157121] Wed, 01 July 2009 16:20 Go to previous messageGo to next message
study  is currently offline study
Messages: 13
Registered: June 2009
Junior Member
Thanks!

> As WildPacket recommended, do not install it on a DC. You will complicate
matters concerning the DC and the CA Root. Put it on a member server.
What issues can arise by installing CA on a DC? We don't have any servers
located in the root domain other than the DCs and as we don't have a hardware
for any additional servers at this time, were planning to install it on a DC.

> I would install it as a member server under the forest root domain.

> No, as far as redundancy. Install it as an enterprise root, then create subordinate issuing roots under the CA root. Take the root offline. Bring it up to update it once in >awhile. This way the root cannot be compromised.
The root CA has to be enterprise? I can't do standalone offline root then
create 2 enterprise issuing subordinate CAs?
Re: Enterprise CA placement [message #157195 is a reply to message #157187] Wed, 01 July 2009 20:35 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
In news:0F271A7F-E632-49BA-BC14-363BD74E23BD@microsoft.com,
study <study@discussions.microsoft.com>, posted the following, which I replied to down below...: Hello study
> Thanks!
>
>> As WildPacket recommended, do not install it on a DC. You will
>> complicate
> matters concerning the DC and the CA Root. Put it on a member server.
> What issues can arise by installing CA on a DC? We don't have any
> servers located in the root domain other than the DCs and as we don't
> have a hardware for any additional servers at this time, were
> planning to install it on a DC.
>
>> I would install it as a member server under the forest root domain.
>
>> No, as far as redundancy. Install it as an enterprise root, then
>> create subordinate issuing roots under the CA root. Take the root
>> offline. Bring it up to update it once in >awhile. This way the root
>> cannot be compromised.
>
> The root CA has to be enterprise? I can't do standalone offline root
> then create 2 enterprise issuing subordinate CAs?

Well, true, if you want to go the extra distance to create an offline root, there's alot involved, otherwise install it and keep it up and running. It really depends on your needs.

As for using it for autoenrollment, the CA MUST be installed on a Windows 2003 or 2008 Enterprise Edition in order to have the v2 templates available to create an autoenrollment certificate.

Ace
Re: Enterprise CA placement [message #157201 is a reply to message #157195] Wed, 01 July 2009 20:53 Go to previous messageGo to next message
study  is currently offline study
Messages: 13
Registered: June 2009
Junior Member
Thanks Ace,
I think I'll go the extra distance and create a standalone offline root then
create 2 subordinate enterprise issuing CAs.

So what kind of issues can there be if the CA (in this case the enterprise
subordinate issuing CAs) is installed on a DC as opposed to a member server?

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> In news:0F271A7F-E632-49BA-BC14-363BD74E23BD@microsoft.com,
> study <study@discussions.microsoft.com>, posted the following, which I replied to down below...: Hello study
> > Thanks!
> >
> >> As WildPacket recommended, do not install it on a DC. You will
> >> complicate
> > matters concerning the DC and the CA Root. Put it on a member server.
> > What issues can arise by installing CA on a DC? We don't have any
> > servers located in the root domain other than the DCs and as we don't
> > have a hardware for any additional servers at this time, were
> > planning to install it on a DC.
> >
> >> I would install it as a member server under the forest root domain.
> >
> >> No, as far as redundancy. Install it as an enterprise root, then
> >> create subordinate issuing roots under the CA root. Take the root
> >> offline. Bring it up to update it once in >awhile. This way the root
> >> cannot be compromised.
> >
> > The root CA has to be enterprise? I can't do standalone offline root
> > then create 2 enterprise issuing subordinate CAs?
>
> Well, true, if you want to go the extra distance to create an offline root, there's alot involved, otherwise install it and keep it up and running. It really depends on your needs.
>
> As for using it for autoenrollment, the CA MUST be installed on a Windows 2003 or 2008 Enterprise Edition in order to have the v2 templates available to create an autoenrollment certificate.
>
> Ace
>
>
>
Re: Enterprise CA placement [message #157202 is a reply to message #157201] Wed, 01 July 2009 21:49 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"study" <study@discussions.microsoft.com> wrote in message news:3FF7498D-05C0-4C10-93E2-CFE3DDFD17C1@microsoft.com...
> Thanks Ace,
> I think I'll go the extra distance and create a standalone offline root then
> create 2 subordinate enterprise issuing CAs.
>
> So what kind of issues can there be if the CA (in this case the enterprise
> subordinate issuing CAs) is installed on a DC as opposed to a member server?

Complications. Difficulty recovering one of the other. Security. Many things. It's just not best practice to do so, such as not installing Exchange on a DC, but many don;t pay attention to best practices or read up reseach it, but they do anyway, also not making a DC multihomed (more than one NIC and/or IP), but many do as well not realizing the implications, etc, only to find problems later on and the complications to fix them.

Windows Server 2003 Certificate ServicesMay 26, 2006 ... Windows Server 2003 Certificate Services contains new features and ... can be a member server (recommended) or a domain controller (DC—not recommended ...
http://windowsitpro.com/.../windows-server-2003-certificate- services.html

And here's an old post of mine that I found when I was helping someone else with a CA on a DC:
Re: Certificate services on a domain controller
http://www.tech-archive.net/Archive/Windows/microsoft.public .windows.server.setup/2008-09/msg00099.html

I hope that helps.

Ace
Previous Topic:Is this one I need to take?
Next Topic:Re: Resetting A.D. passwords from Traveling/Remote LAPTOPS
Goto Forum:
  


Current Time: Fri Oct 20 03:01:04 EDT 2017

Total time taken to generate the page: 0.05286 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software