We're about to implement a two-tier AD CS solution. What I don't understand is when I create the Root CA, do I select Enterprise or Stand Alone? What we want is a Root CA that we can take offline and let the subordinate CA's issue the certificates. My understanding is that for this design, we would install AD CS on a Workgroup Server and the subordinates on member servers in the domain. Am I missing something? I just want to clear up the confusion that we have.

Hi Gene, The RootCA will be Stand Alone CA and deployed in a Workgroup. It should be taken offline after issuing the SubCA cert. Good read > http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki

Hi Gene, The RootCA will be Stand Alone CA and deployed in a Workgroup. It should be taken offline after issuing the SubCA cert. Good read > http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki

Hi Gene, In a two tier PKI, Root CA is usually recommended to place on a member of workgroup and take offline when the setup is completed. When installing Root CA, you can only select the Stand-alone option since the Enterprise CA needs Active Directory. Here are some useful articles which might be helpful for you. Design Considerations before Building a Two Tier PKI Infrastructure http://blogs.technet.com/b/pki/archive/2010/06/19/design-considerations-before-building-a-two-tier-pki-infrastructure.aspx Designing and Implementing a PKI http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx Bruce Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Hi Gene, In a two tier PKI, Root CA is usually recommended to place on a member of workgroup and take offline when the setup is completed. When installing Root CA, you can only select the Stand-alone option since the Enterprise CA needs Active Directory. Here are some useful articles which might be helpful for you. Design Considerations before Building a Two Tier PKI Infrastructure http://blogs.technet.com/b/pki/archive/2010/06/19/design-considerations-before-building-a-two-tier-pki-infrastructure.aspx Designing and Implementing a PKI http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx Bruce Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.