Does root CA require Enterprise Edition

Posted on 2008-11-13
Last Modified: 2012-05-05
We currently have a root domain and two child domains.  Each domain has two domain controllers running Windows 2003 Server Standard Edition.  We want to install Certificate Services and allow both users and computers in the child domains to automatically.  

My plan is to install a root CA on one of the DCs in the root domain and then install a sub-ordinate/issuing CA on a DC in each of the child domains.  As I understand it, in order for the sub-ordinate/issuing CAs to do auto-enrolment, they must be running Windows Server Enterprise edition.  That's fair enough, I can get away with re-building one of the DCs without too much bother.

My question is, does the Root CA also have to be running Enterprise Edition.  As I understand it, it is only going to need to issue two certificates, one to each of the sub-ordinates in the two child domains, so I can do that manually.  Will this affect the sub-ordinate CAs ability to perform auto-enrolment?



I understand that the CA must be installed on a
Question by:darrenbell2000
    LVL 31

    Accepted Solution

    Any offline CA's should be installed with Standard Edition and not joined to a domain - this would normally just include the root CA in a standard 2 tier PKI.  If you have a 3 tier, the root and policy servers would be included.  The online issuing subordinate you would want to be Enterprise Edition and should be joined to a domain for autoenrollment processes (EFS, workstation, DC, etc. certs).  

    I recommend against installing your root CA on any DC - it gets messy.  As mentioned above, create your root as an offline non-domain box, then use that to issue your subordinate CA's in each environment desired.  Connecting it across a private non-routed LAN to one of the sub-CA's will make CRL distribution much easier.  Just create a script to run 'certutil -CRL' and then map a drive to the sub-CA, copy over the CRL, then create another script to run a little while later to copy the CRL to the applicable CDP locations (make one of these publicly accessible - no need for the CA to be connected to the internet, but having a CDP there will add a lot of options).  Protect your root CA - CA's are the basis of trust in your network, so you need to trust them.

    Generally I also advise against having any CA on a DC, it should be on its own box preferably - things get very messy when you upgrade the DC's when there is a CA on the same box, amoungst many other reasons.

    Whether the root can be run as an Enterprise Root on Standard Edition is a hot topic with some - but we do that here, so I know it works that way (contrary to a ton of documentation even from Microsoft).  Enterprise Subordinate should be done on Enterprise Edition as there are a lot of things that are only available that way.
    LVL 31

    Expert Comment

    Note: running your CA's in a VM environment can help cut the hardware costs down at least.  They are not very memory or CPU intensive, but allocate at least 30gb per online CA if you can so you can have plenty of room for the database to grow over time, and back it up properly.  If you can afford the hardware, that is best, but VM works fine - just protect the host box as well as the active sessions, including the saved snapshots.
    LVL 31

    Expert Comment

    I notice that you also have both 2000 and 2003 listed as categories - if possible you want to be running 2003 native mode prior to installing your CA's, and the CA's should really be on 2003 or 2008 as 2000 CA was just a twinkle of a CA.  2000 member servers and client boxes aren't too big of a deal as they don't affect the AD extensions.

    Author Comment


    Thanks for your comments.  I read up on using offline Root CAs and it does seem to be the best way to go about this.  I'm having an issue with it but I've put it in a new post.  Perhaps you could take a look as you've been through this before?

    thanks for your help

    LVL 31

    Expert Comment

    Done.  Here is a nice walkthrough guide for a ton of things for setting up the CA.  You can skip the stuff re: cross certification unless you are actually trying to do that with a partner company or something - not typical.

    You will probably also want to enable SAN off the bat as well to add multiple names to a cert (e.g. you can have teh IP address, hostname, FQDN, and alias for the same box all in one cert):

    For handling CRL's we batch script 'certutil -crl' to run twice a day and have in that script mapping a drive and copying over the crl to the CDP locations.  We have legal obligation to push ours once a day - usually once a week is fine - maybe with a 'certutil -crl delta' daily for incremental updates between base crls.  Basically, however long is configured in the CA, make sure you script to push it manually more often so you have time to recover.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Suggested Solutions

    Title # Comments Views Activity
    Hardware RAID vs OS RAID 20 74
    Windows Update Windows 7 Pro System 5 35
    2nd desktop keeps emptying 11 42
    Server memory config 4 15
    A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
    Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now