<div>
In windows 2k8, you'll want a Certificate Services server to handle most of the work. Certificate signing and encryption for email will only work internally for the most part. If you want an encryption system for email going outside your network, you'll want to look at third party solutions like PGP. Realistically, you'll need to determine how far reaching you want your encryption and authentication to be. AD CS is great internally, but it gets really troublesome when you go outside the LAN/WAN, because certificate distribution is limited to the domain. Same thing for web site authentication. It's a piece of cake and almost just works right out of the box if you're entirely internal. The second you break across that public/private line it gets troublesome. RSA makes a good key management system for distributing keys outside a private network, and I think there are a few other companies that do as well. <br />
<br />
Just to sum up my recommendation on how to move forward, take a look at what you want to do. If you need to manage certificates outside your network, you should look into third party solutions. If it's going to be mostly internal, or if any part of the requirement is internal only, you'll want to allow AD CS to handle that portion because of the auto-enrollment features built in to Windows. 
</div>


<div>
I see, so I will probably need to obtain a CA for Each of my domain controllers from a third-party to begin issuing certificates at least for inside applications and services.<br />
<br />
If we want to do email encryption or digital signatures then the RSA route is your recommendation or that of PGP, correct?<br />
<br />
One of the key factors that triggered this reearch was the adding a few services to be reached from the DMZ and be able to authenticate domain users from home or where ever they they can be. We already have servicea with their own certificates (webmail, citrix access, etc) which are at the DMZ but get the users authentication bounced off AD.<br />
<br />
Thanks for your input.<br />
<br />
<br />

</div>


<div>
Thanks for your detailed comment on this. I was looking at any other experts comments but I guess, even after the question was moved to another group, nobody else has an input for this.<br />
<br />
Thanks much, I will focus my research on this and seek a direct target solution. <br />
<br />
Definitely will do an in-house CA server for all our internal needs, per all my current readings online. R$A is out of the question, budget-wise.<br />
<br />
Thanks a bunch.
</div>


<div>
<div class="content wysiwyg-content">
My company has asked our team to implement a PKI solution so we can encrypt and digitally sign emails, files, authenticate users for web-based applications that are on DMZ servers (bounce authentication againts internal AD servers from the DMZ).<br />
<br />
Ourt current environment is: Active Directory with DOmain controllers as Windows Server 2008 R2.<br />
Multiple member servers in 2008 and some in 2003. Applications in our internal domain and some are located at the DMZ.<br />
<br />
What is required to start this implementation? PKI server, Certificate signing (Microsoft-local vs Third-Party).<br />
<br />

</div>
</div>


My company has asked our team to implement a PKI solution so we can encrypt and digitally sign emails, files, authenticate users for web-based applications that are on DMZ servers (bounce authentication againts internal AD servers from the DMZ).

Ourt current environment is: Active Directory with DOmain controllers as Windows Server 2008 R2.
Multiple member servers in 2008 and some in 2003. Applications in our internal domain and some are located at the DMZ.

What is required to start this implementation? PKI server, Certificate signing (Microsoft-local vs Third-Party).



Setting UP PKI and Certificate servers on a Windows Server 2008 R2 domain

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

OS Security

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Exchange

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.