Solved

Microsoft Certificate Server Database Replication

Posted on 2014-04-21
4
1,166 Views
Last Modified: 2014-05-13
Our company has two Microsoft Certificate Server on two different sites. They are both installed on MS-Server 2012 R2 server and joined to the same AD domain. It is important and essential that the two Certificate Server database content should be synchronized with each other.

As I am new to Certificate Server and would like to know if the two Certificate Server database content (Including the CRL - Cert Revocation List) will be replicated and sync with each other through the AD replication process or other method need to be implemented ?

Is there a way to shorten the replicate time for the two Certificate servers ?

Appreciate your advice in advance.

Regards
Patrick Tam
0
Comment
Question by:patricktam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40012627
what is your certificate hierarchy?   Root Server and 2 Issuing?  or 2 Root Servers?  Do the CRL's for both point to the same address and same with the AIA?  If you have two Root CA's then you have to do a tear-down and a rebuild and rebuild it correctly the next time.  They don't sync via active directory and they don't have to be synced they do have to have the same top-level certificate in the chain though.

You should have an offline root CA and import the root ca certificate via group policy to all computers, you should use a request from each issuing CA to the root CA for a certificate, issue these two certs, remember which one goes to which machine, install them, now these issuing CA's can issue certs without a problem.  point the CRL's and AIA's to the same web location i.e. pki.example.com
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40013462
You already have Two certificate servers
hence you cannot sync there database, they both are independent CA servers

If you want to build redundancy for CA server, you need to build brand new CA servers in windows failover cluster
http://social.technet.microsoft.com/wiki/contents/articles/9256.active-directory-certificate-services-ad-cs-clustering.aspx

Also note that your existing CA servers need to be demoted \ uninstalled and you need to reenrol all certificates with new clustered CA

According to me this is too much for small scale to medium scale organization

Simply taking CA server Database and registry backup will suffice your requirement with very minimum downtime
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx

Here what you are trying to do is, just backup CA with database and registry, incase CA server fails, build another member server with same name in active directory and install CA services on that server with existing CA backup and certificate option
This well works all the time and less costlier

Mahesh
0
 

Author Comment

by:patricktam
ID: 40013711
Thanks guy for giving me some insight.
0
 

Author Closing Comment

by:patricktam
ID: 40061092
Good hints for my further investigation and testing
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question