Hi all, My infrastructure is: - 1 enterprise root CA (DC with Server 2003 standard) that issued already about 5000 certificates (mostly basic efs from clients); - 800 Servers (2003 and 2008) - 8000 clients (xp and windows 7) We want to begin to use fault tolerance with CA and prepare the system do work with more computer and user certificates do vpn an wireless (certificates for vpn and AP's is an objective for a near future, thats why i need help to plan the CA infrastructure with minimum changes... I've been reading a lot of things in web and i have some issues: - Enterprise Root CA is a Windows Server 2003 Standard edition (cannot reinstall whith enterprise version because there are other services running); - I have the possibility of installing new subordinate CA but i have only server 2003 or 2008 standard versions available; - We need fault tolerance and load balancing. My first approach is: - Configure 2 new enterprise subordinate CA's (server 2003 standard) linked to Enterprise root CA (2 sites); - Make the subCA issue new certificates and revogations; - Enterprise root CA not issuing certificates. Questions: - 2 new Enterprise SubCA's are good for fault tolerance? (first responding do requests, first issue); - Can't find information about how to relay the 2 sites for specific subCA (load balancing and fault tolerance); - Can't find information about stop issuing certificates on Enterprise Root CA; - Can't find information about what to do with 5000 certificates already issued by Enterprise Root CA; - We just have Windows Server 2003/2008 Standard editions, so we can't use GPO for automatic issuing certificates, other way to do it? (vpn and wireless) - I know that is easy to stop Root CA to issue certificates if it's a standalone Root CA .. offline and it's good. In ower case is impossible because root ca is a Domain Controller and DHCP Server... Sorry about the questions, but in web i can't find answers for this... Many thanks, Luis Carmo

Hello Luis, sorry for the wrong entry. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

What link is this ???

Hi, Please check the answer below: - 2 new Enterprise SubCA's are good for fault tolerance? (first responding do requests, first issue); - Can't find information about how to relay the 2 sites for specific subCA (load balancing and fault tolerance); Generally speaking, all Enterprise CA will create an enrollment service object in the Active Directory (CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Confgiruation,DC=domain,DC=com). When user requests a certificate by using the Certificate MMC snap-in, the certificate requester will enumerate all registered enrollment services in Active Directory (enrollment services container in the configuration partition) and sends its request to a CA that can enroll the certificate type that the user wants. As far as I know, CA selection is random and therefore client computer may not access the CA in local site to request certificate. - Can't find information about stop issuing certificates on Enterprise Root CA; To stop the Enterprise root CA issuing certificate, you may remove the unnecessary certificate template from Certification Authority\Certificate Template folder on the root CA. - Can't find information about what to do with 5000 certificates already issued by Enterprise Root CA; I think you can keep the certificates or revoke them. - We just have Windows Server 2003/2008 Standard editions, so we can't use GPO for automatic issuing certificates, other way to do it? (vpn and wireless) For computer certificate, you can use the Automatic Certificate Request Settings policy. Automatic certificate request settings http://technet.microsoft.com/en-us/library/cc776310(WS.10).aspx Hope the information is helpful for your work. In addition, I’ve moved the thread to the Security forum so that you can get more suggestions from other PKI experts.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.