Hi there, I have never really got involved in CA roles before but now it looks like I need to dip my toe in a little deeper. So, I have have already got a W2K8 R2 CA role on one of my DCs. This is mainly used for users to authenticate through Citrix using SSL. I have noticed a flaw in the plan though. Because I have 2 authentication servers specified in the Citrix Netscaler, using round robin type of scenario, and the user hit a DC that does not have the CA role installed on, they get an error about the credentials being invalid. As expected really. So I want to make both of these use CA roles. Can anyone recommend how this would be acheived. Would I use a subordinate, or create a new CA Root server? Would they need to use the same private key, or can I create a new one for the new server? Sorry if there is an obvious answer for this. Regards

Having one issuing/enterprise CA in your AD should be just enough fot the setup you are describing. The problem with the other DC is probably that the DC does not have its own authentication certificate and you need to create/request such one. Can you give some more details about how this SSL authentication is performed and what credentials the users are using in this scenario? /Hasain

Hi and good morning. Thanks for the reply. Bit of info for you, as requested. We use a Citrix Netscaler, for our external users to connect to our virtual desktops. The users use their AD credentials. In the Netscaler authentication policies, you can specify the DC used to authenticate these credentials. Here we only used to have one DC specified. We use SSL certificates to ensure the traffic is secure. If we add another DC in the authentication policy on the Netscaler, and when a user tries to login, if they have hit the new DC to authenticate, then they get an error that the credentials were invalid. If they hit the one with CA on, they can successfully logon.

It seams that Citrix Netscaler uses LDAP SSL to communicate with DCs so you need to make sure all DCs has received a certificate from you CA. Is your CA installed as an Enterprise or standalone CA? /Hasain

Thanks for the reply. Using the logic of checking if I have Certificate Templates in certsrv.msc, which I dont, I assume I have Stand-Alone.

To request a domain controller certificate from a standalone CA just follow the steps (make sure you follow the standalone related steps in each section): Download the script Reqdccert.vbs http://technet.microsoft.com/en-us/library/cc775547(WS.10).aspx Requesting Offline Domain Controller Certificates http://technet.microsoft.com/en-us/library/cc783835(WS.10).aspx Processing Domain Controller Certificates http://technet.microsoft.com/en-us/library/cc787009(WS.10).aspx Domain Controller Certificate Installation http://technet.microsoft.com/en-us/library/cc785678(WS.10).aspx /Hasain