• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 241
  • Last Modified:

Advice on Enterprise certificate setup

hi guys,

i have 30 domain controllers, with two of them splitting fsmo roles as my main DC's.
I am about to install certificate services, but i wanted to get some opinions on what is the best setup for this architecture. I know there is root and ca root etc, is it best to a have a seperate certificate on each dc or have it all connected to the main dc? the plan is to use it for radius for networking equipment server etc, as well as wireless authentication
1 Solution
Kent DyerIT Security Analyst SeniorCommented:
Just like you have redundancy in DCs in your domain, you should have redundancy in your ca.  If you have only one ca and it was to go offline, you need a backup.  If you don't people could have trouble authenticating to your domain and possible host of other issues.


Hi, you should consider what design you should go for (how many tier, offline Enterprise root CA, how many issuing CAs, etc).  

You should also avoid placing the CA server role on a DC, because that's making the ADCS role dependant on the ADDS role and also because it makes it difficult to separate the CA manager role from the Domain Administrator role. If you place the CA on a DC, you can't demote a DC without moving the CA to another server.

Here are some pros/cons for a 1 and 2 tier Enterprise CA:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now