Solved

what is Best Pratice for Domain Root CA

Posted on 2013-01-13
6
713 Views
Last Modified: 2013-01-13
What is the purpose of an Offline Root CA (standalone non-member) w/ a Online Domain  member Subordinate CA?

We are in the process of decom our AD 2003 DC's and one of them holds the Root CA role.
We want to segment the roles in the newly deployed machines (running 2008 R2) so when there are future upgrades to DC's and other machines we are not worried about the roles on that machine accept the one being decom.

So my colleague proposed and Standalone non-member Offline Root CA with an Online Member Subordinate CA.  I am thinking it is overkill for our environment since we are only using the Cert for a wLAN PEP access to our IAS/NPS at the present time.
0
Comment
Question by:yo_bee
  • 3
  • 3
6 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 38772751
http://technet.microsoft.com/en-us/library/cc738786(v=ws.10).aspx

You can have your Offline CA as a VM.
You need a CA online to issue certificates as needed.
0
 
LVL 22

Author Comment

by:yo_bee
ID: 38772881
Question I have is what is the difference of a Root CA vs Subordinate CA issuing a Cert?
0
 
LVL 77

Expert Comment

by:arnold
ID: 38772927
Not sure the context of your question.
The CA issuing certificates has to be running on a member server of a domain.
There can only be one root CA. You can have multiple subordinate certificate issuing CAs.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 22

Author Comment

by:yo_bee
ID: 38772949
What's the purpose of not just having a Root CA if the requirements are very mininual.

Do you really need a root offline with a subordinate online ?
0
 
LVL 77

Expert Comment

by:arnold
ID: 38773054
The offline provides for a security mechanism. I.e. if the ROOT CA is compromised through access, all certificates become suspect. If the subordinate issuing CA is compromised, you Would on the root CA revoke the subordinate certificate and issue a new subordinate certificate.  This way you impact will be narrower I.e. you have two issuing CAs and the CRL will cancel only a subset of certificates issued by the compromised subordinate CA.
0
 
LVL 22

Author Comment

by:yo_bee
ID: 38773058
Thanks for the details on this.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question