Solved

what is Best Pratice for Domain Root CA

Posted on 2013-01-13
6
734 Views
Last Modified: 2013-01-13
What is the purpose of an Offline Root CA (standalone non-member) w/ a Online Domain  member Subordinate CA?

We are in the process of decom our AD 2003 DC's and one of them holds the Root CA role.
We want to segment the roles in the newly deployed machines (running 2008 R2) so when there are future upgrades to DC's and other machines we are not worried about the roles on that machine accept the one being decom.

So my colleague proposed and Standalone non-member Offline Root CA with an Online Member Subordinate CA.  I am thinking it is overkill for our environment since we are only using the Cert for a wLAN PEP access to our IAS/NPS at the present time.
0
Comment
Question by:yo_bee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 38772751
http://technet.microsoft.com/en-us/library/cc738786(v=ws.10).aspx

You can have your Offline CA as a VM.
You need a CA online to issue certificates as needed.
0
 
LVL 23

Author Comment

by:yo_bee
ID: 38772881
Question I have is what is the difference of a Root CA vs Subordinate CA issuing a Cert?
0
 
LVL 78

Expert Comment

by:arnold
ID: 38772927
Not sure the context of your question.
The CA issuing certificates has to be running on a member server of a domain.
There can only be one root CA. You can have multiple subordinate certificate issuing CAs.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 23

Author Comment

by:yo_bee
ID: 38772949
What's the purpose of not just having a Root CA if the requirements are very mininual.

Do you really need a root offline with a subordinate online ?
0
 
LVL 78

Expert Comment

by:arnold
ID: 38773054
The offline provides for a security mechanism. I.e. if the ROOT CA is compromised through access, all certificates become suspect. If the subordinate issuing CA is compromised, you Would on the root CA revoke the subordinate certificate and issue a new subordinate certificate.  This way you impact will be narrower I.e. you have two issuing CAs and the CRL will cancel only a subset of certificates issued by the compromised subordinate CA.
0
 
LVL 23

Author Comment

by:yo_bee
ID: 38773058
Thanks for the details on this.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question