Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Which domain to install Enterprise Root CA server in?

Posted on 2013-01-29
4
Medium Priority
?
1,259 Views
Last Modified: 2013-01-30
Hey guys. Our AD infrastructure never had a PKI within it. We are installing LYNC now and I need to setup an enterprise root CA server. But I am unsure of what domain to join it to.

We currently have a root domain with 3 child domains. Example:

root.corp
cd1.root.corp
cd2.root.corp
cd3.root.corp

Our Exchange servers are in one child domain, say cd2.root.corp and the LYNC server is going to be installed in another child domain cd1.root.corp.

Can I install our CA server in any child domain or does it have to be joined to the root domain, root.corp?

TIA
0
Comment
Question by:zito2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points
ID: 38831049
enterprise root ca should be in the root AD root.corp but can be on a member server and not the AD/DNS server
0
 
LVL 12

Accepted Solution

by:
Dave earned 1000 total points
ID: 38834294
Why do you need an Enterprise Root CA?. In general its still considered best practice to have a standalone root CA thats kept off-line.

If you install it standalone on a member server from an account with enterprise admin rights it will set up the trusted root store on the local PCs.

I am currently re-building a CA hierarchy after the original was installed with the root on a DC and the issueing CA's on DHCP servers we want to retire and rename so I caution you to be carefull how you design it.

At the very least look at giving the CRLs server agnostic names e.g. "pki.mydomain.com/crl"

The Microsoft "best Practice" guide has some scripts that help..

http://technet.microsoft.com/en-us/library/cc772670(v=ws.10).aspx
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 38834312
From the best practices guide:
Certificate Services offers two types of CAs that have different feature sets: enterprise CAs and stand-alone CAs. A Windows Server 2003 PKI may consist of both types of CAs, which is often recommended for the enterprise environment. A comparison of strengths of the stand-alone CA and the enterprise CA may help you decide what CA type is required for which role.
A stand-alone CA should be used if:
•      It is an offline root or offline intermediate CA.
•      Support of templates that you can customize is not required.
•      A strong security and approval model is required.
•      Fewer certificates are enrolled and the manual work that you must do to issue certificates is acceptable.
•      Clients are heterogeneous and cannot benefit from Active Directory.
•      It is combined with a third party Registration Authority solution in a multi-forest or heterogeneous environment
•      It issues certificates to routers through the SCEP protocol

An enterprise CA should be used if:
•      A large number of certificates should be enrolled and approved automatically.
•      Availability and redundancy is mandatory.
•      Clients need the benefits of Active Directory integration.
•      Features such as autoenrollment or modifiable V2 templates are required.
•      Key archival and recovery is required to escrow encryption keys

http://www.microsoft.com/en-us/download/details.aspx?id=20677
0
 

Author Comment

by:zito2000
ID: 38835000
Thanks for the help guys. According to the Microsoft consultant that is configuring the LYNC server on his end (in our Germany office; I'm in the US) he requested the CA be an enterprise CA.

But now we have the issue of creating custom templates and need to upgrade to an enterprise version of Windows Server. But that's another issue =D

Thanks for the quick replies.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question