Hi all, My infrastructure is: - 1 enterprise root CA (DC with Server 2003 standard) that issued already about 5000 certificates (mostly basic efs from clients); - 800 Servers (2003 and 2008) - 8000 clients (xp and windows 7) We want to begin to use fault tolerance with CA and prepare the system do work with more computer and user certificates do vpn an wireless (certificates for vpn and AP's is an objective for a near future, thats why i need help to plan the CA infrastructure with minimum changes... I've been reading a lot of things in web and i have some issues: - Enterprise Root CA is a Windows Server 2003 Standard edition (cannot reinstall whith enterprise version because there are other services running); - I have the possibility of installing new subordinate CA but i have only server 2003 or 2008 standard versions available; - We need fault tolerance and load balancing. My first approach is: - Configure 2 new enterprise subordinate CA's (server 2003 standard) linked to Enterprise root CA (2 sites); - Make the subCA issue new certificates and revogations; - Enterprise root CA not issuing certificates. Questions: - 2 new Enterprise SubCA's are good for fault tolerance? (first responding do requests, first issue); - Can't find information about how to relay the 2 sites for specific subCA (load balancing and fault tolerance); - Can't find information about stop issuing certificates on Enterprise Root CA; - Can't find information about what to do with 5000 certificates already issued by Enterprise Root CA; - We just have Windows Server 2003/2008 Standard editions, so we can't use GPO for automatic issuing certificates, other way to do it? (vpn and wireless) - I know that is easy to stop Root CA to issue certificates if it's a standalone Root CA .. offline and it's good. In ower case is impossible because root ca is a Domain Controller and DHCP Server... Sorry about the questions, but in web i can't find answers for this... Many thanks, Luis Carmo

Hello Luis, sorry for the wrong entry. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

What link is this ???

Hi, Please check the answer below: - 2 new Enterprise SubCA's are good for fault tolerance? (first responding do requests, first issue); - Can't find information about how to relay the 2 sites for specific subCA (load balancing and fault tolerance); Generally speaking, all Enterprise CA will create an enrollment service object in the Active Directory (CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Confgiruation,DC=domain,DC=com). When user requests a certificate by using the Certificate MMC snap-in, the certificate requester will enumerate all registered enrollment services in Active Directory (enrollment services container in the configuration partition) and sends its request to a CA that can enroll the certificate type that the user wants. As far as I know, CA selection is random and therefore client computer may not access the CA in local site to request certificate. - Can't find information about stop issuing certificates on Enterprise Root CA; To stop the Enterprise root CA issuing certificate, you may remove the unnecessary certificate template from Certification Authority\Certificate Template folder on the root CA. - Can't find information about what to do with 5000 certificates already issued by Enterprise Root CA; I think you can keep the certificates or revoke them. - We just have Windows Server 2003/2008 Standard editions, so we can't use GPO for automatic issuing certificates, other way to do it? (vpn and wireless) For computer certificate, you can use the Automatic Certificate Request Settings policy. Automatic certificate request settings http://technet.microsoft.com/en-us/library/cc776310(WS.10).aspx Hope the information is helpful for your work. In addition, I’ve moved the thread to the Security forum so that you can get more suggestions from other PKI experts.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello again, we're making changes in this PKI environment. I just want to clarify 2 things: 1) As far as I know, CA selection is random and therefore client computer may not access the CA in local site to request certificate... Question: if i have 2 Enterprise SubCA's with for example, user template certificate and GPO to autoenroll, how CA selection works? just do regard my main objective is to make some load balancing because the 2 SubCA's are in different sites. 2) Question: Regarding that i have now 2 enterprise SubCAs, what happens if one of them is dead? CRL fault tolerance to the live subCA for new certificates requests? what about certificates issued to the dead server (revoke or renew) ? the live subCA will handle this ? Many thanks and kind regards, Lus Carmo

Once a certificate template with the proper ACE has been enumerated, the autoenrollment process will search for a Microsoft Enterprise Certificate Authority in Active Directory that can issue the template. If more than one Enterprise CA is found, the client will try each CA in the list in random order (for load balancing) until a CA responds and is able to issue a certificate, go to http://msdn.microsoft.com/en-us/library/bb643324.aspx#EFD and go to Issuing the template. Once a certificate has been issued, operations related to that certificates CRL checking and revocation are directed to the issuing CA. No failover to other enterprise CAs can be used. Renewal of a certificate is handled the same way as new enrollment operations and the client should switch to the next available Enterprise CA when possible. /Hasain

Helo Hasain, Regardind the actual certificates infrastructure that we have, it's possible to deploy auto-enrollment user certificates to a different domain/forest (with trusts) ? Many thanks,Lus Carmo

You can use Cross-Forest Certificate Enrollment to deploy certificates across forest trusts Install or upgrade one or more of your enterprise CAs to run on Windows Server 2008 R2 in the resource forest. Read more here http://technet.microsoft.com/en-us/library/ff955845(WS.10).aspx /Hasain

You can use Cross-Forest Certificate Enrollment to deploy certificates across forest trusts Install or upgrade one or more of your enterprise CAs to run on Windows Server 2008 R2 in the resource forest. Read more here http://technet.microsoft.com/en-us/library/ff955845(WS.10).aspx /Hasain

Hello again, Regarding changes i've made today: Yesterday's PKI infrastructure: -> Enterprise Root CA - Windows Server 2003 Standard; -> Subordinate CA - Windows Server 2003 Standard; -> Certificates issued to clients: some default templates; -> Radius Servers: 2 with Server certificates issued by Subordinate CA (we are using PEAP). Todays' planned changes: -> Enterprise Root CA (no changes); -> Subordinate CA (no changes); -> Configured new Subordinate CA with Server 2008 R2 Enterprise. And the problem was that those 2 certificates issued by old Subordinate CA where deleted (missing) from radius servers and all my radius infrastructure stopped with a couple of hundred clients affected. I had to request new certificates for Radius Servers that where issued by new Subordinate to things work again. Question: What happened to certificates issued to radius servers? i had a problem with 1 DC: Event Type: Warning Event Source: CertSvc Event Category: None Event ID: 77 Date: 10/25/2011 Time: 11:12:22 AM User: N/A Computer: EDPDTCINF2 Description: The "Windows default" Policy Module logged the following warning: The Active Directory connection to EDPCPDDC1.edp.pt has been reestablished to EDPDTCDC2.edp.pt. Nothing else happened and i'm curious to figured it out what happened to 2 server certificates issued by old SubCA... can you help ? Kind regards, Luís Carmo