We have three domain controllers all running Win Server 2008 R2. We have about 30 member servers running all type of services including Exchange 2007, SQL 2005, etc. I want to install Microsoft Active Directory Certificate Services (AD DS) so I can generate self signed certificates. I have a number of services on campus that need self signed certificates so I can get rid of the annoying messages about services not being trusted. What is best practice for where certificate services should be installed? On my primary domain controller? On one of the other domain controllers? On a separate member server dedicated to this service? I have found the following articles on installing this service but it does not mention where it should be installed. http://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/ http://aaronwalrath.wordpress.com/2010/04/16/install-an-enterprise-certificate-authority-in-windows-2008-r2/ http://d3planet.com/rtfb/2009/11/10/install-certificate-services-on-windows-server-2008-r2/

What is best practice for where certificate services should be installed? On my primary domain controller? On one of the other domain controllers? On a separate member server dedicated to this service? I have found the following articles on installing this service but it does not mention where it should be installed. The best practices for the Active Directory certificate services: 1- You should use Secondary Enterprise CAs to issue and manage certificates. 2- The Enterprise Root CA should be kept offline The Enteprise Root CA should be kept offline because of the following: Let's suppose a hacker attacked an Enterprise Secondary CA. In this case, you can revoke its certificate so that all the certificates issued by this CA will be revoked. Let's suppose a hacker attacked an Enterprise Root CA. Here, you may be in big problems. So, in your case, I recommand to you to: 1- Install the Enterprise Root CA on a server that ensure no services 2- Install your Enterprise Secondary CAs that will issue and manage certificates. (You can use a new server, there is no problem with that) 3- Keep offline your Enterprise Root CA once you installed and certified all your Secondary CAs. So, there is no need to install the AD CS on domain controllers. You should just keep in mind what I told you. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

On Mon, 6 Sep 2010 14:51:10 +0000, Mr X wrote: 2- The Enterprise Root CA should be kept offline An Enterprise CS cannot, by definition be offline. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

On Mon, 6 Sep 2010 15:01:44 +0000, Paul Adare wrote: An Enterprise CS cannot, by definition be offline. CS should be CA. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

I have a small environment so my original thought was just to have a root CA and not a secondary CA. We are a public school district with about 4,300 students and will be using the CA to issue about 5 or 6 certs to use internally. For example, my wireless controllers (Meru) and my centralized storage (Netapp) both have web based interfaces. When either me or my staff visit these interfaces we always get the message that this may not be a trusted site and have to hit "continue to this site" to get the login screen. If I can issue certificates via my own CA and then import them into the Meru and Netapp interfaces, these messages will no longer be displayed. Of course, none of this is visible to anyone outside my network, hence the use of certificates generated internally. I am thinking about bringing up another WinServer 2008 R2 server under VMWare and using it as my Root CA. After a bit more digging, installing certificate services on an existing domain controller seems like a bad idea. Your thoughts?

On Mon, 6 Sep 2010 20:37:49 +0000, HendersonD wrote: I have a small environment so my original thought was just to have a root CA and not a secondary CA. We are a public school district with about 4,300 students and will be using the CA to issue about 5 or 6 certs to use internally. For example, my wireless controllers (Meru) and my centralized storage (Netapp) both have web based interfaces. When either me or my staff visit these interfaces we always get the message that this may not be a trusted site and have to hit "continue to this site" to get the login screen. If I can issue certificates via my own CA and then import them into the Meru and Netapp interfaces, these messages will no longer be displayed. Of course, none of this is visible to anyone outside my network, hence the use of certificates generated internally. If you already have certificates that can be used for these devices then there's no compelling need to stand up a CA just to get rid of those error messages. I'm assuming that these are some kind of self-signed certificates and if that's the case then you can either send copies of the certs to those who need them and they can manually import them to the Trusted Root Certification Authorities store on their local computers, or, you could create a GPO and distribute them that way. I am thinking about bringing up another WinServer 2008 R2 server under VMWare and using it as my Root CA. After a bit more digging, installing certificate services on an existing domain controller seems like a bad idea. Installing any additional role on a domain controller is not good from a strict security perspective in that you want to try to minimize the attack surface on your DCs. With AD CS you have another problem in that you cannot remove Active Directory (in the event you want to decommission a DC for example) without first removing AD CS from that DC. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

The problem is these devices cannot generate a self signed certificate. This is the reason I thought about standing up another server just so I can installe Certificate Services and issue self signed certificates. When I had only one device (site) that gave this message it was no big deal. Now I have 6 devices that all have web interfaces and when visiting these interfaces my staff and I are always hit with the security message.

Hi, It’s relative easy to build a CA in small environment. Please refer to the following guides: Building an Enterprise Root Certification Authority in Small and Medium Businesses http://technet.microsoft.com/en-us/library/cc875810.aspx Active Directory Certificate Services Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc772393%28WS.10%29.aspx Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I know I am a more than a little late to the party, however, it would seem that, from my understanding of virtualization, this would be a prime opportunity to use such. It would seem that you could put a virtual server in place to perform as your CA. I am a novice at the whole vrtualization stuff and have been out of the server arena for quite a while, but I would think your best option here to pool multiple servers to serve as a cluster hosting multiple virtual servers? That is, if I understand the whole architecture bit correctly. My understanding is that you can take X number of physical servers to create what would functionally be one big server to host any number of virtual servers? I am all ears to any better information. MikeMike