Good day, everyone. I have a question about Cetrificate services design. Let's say we have one company consisted from 1 site that have about 500 users in it. And this company already have AD CS server deployed. 2008 R2 Single Enterprise root CA, domain member, no other CA servers, no additional issuing servers. In recent future this company planning to buy another company, locating in other town. They will have some sort of WAN connection between them, but this connection is slow and unreliable. This company2 has total mess in it IT infrastructure and lots of users and over time their workstations will be migrated in company1's domain. So in the end only 1 AD domain will be left. The question is: is it a valid solution to set up subordinate issuing CA in company2's site so users from company1 obtain their certificates from root CA and users from company2 obtain their certificates from subordinate CA? We assume that root CA's certificate added to trusted list on computers in both sites.

Hi, Consider that the WAN connection is slow and unreliable, setting up a subordinate CA in the company2 site can ensure that certificate enrollment works properly. However, it will increase administration cost. As they are two different forests, you need to publish the root CA certificate into the company2 forest. For more information, please refer to the following article: AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/ff955842(WS.10).aspx This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Consider that the WAN connection is slow and unreliable, setting up a subordinate CA in the company2 site can ensure that certificate enrollment works properly. However, it will increase administration cost. As they are two different forests, the root CA certificate will not be added to the trusted store on computers in the company2 automatically. You can publish the root CA certificate into the company2 forest. For more information, please refer to the following article: http://technet.microsoft.com/en-us/library/ff955845(WS.10).aspx This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

They won't be in two different forests. Only one AD forest with one domain in it will be left. The gist is: is it ok, if different users in the same domain recieve their certificates from different levels (root and subordinate) of CAs? In all scenarios that I've read about before was alot of initial planning and if company was big enough and with lots of big branches, there were number of issuing CAs already at the planning stage. But in my examle company already had deployed solution and simply outgrew it. How do I scale it properly?

Hi, The certificate enrollment process is not site awareness. This means that the enrollment code does not look to see what site the client and CA are in. The Enrollment code just queries for the list of enrollment service objects, and based on the templates that the CA supports and the template that the user/computer is attempting to enroll for is how it works. If more than one CA is able to issue the certificate, it selects the CA to enroll against randomly. However, the following options may help you achieve similar result: Create two certificate template for the same usage and add them to different CA. For example, add certificate template A to root CA and template B to subordinate CA. Manually specify the CA when you request certificate. Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

That pretty much answers my question, thanks. Even more, now, after your responses and reading tons of forums I start thinking that in my case second CA is redundant. And if organisation will get even bigger, scheme with two CAs and two templates will do it.