Strict Standards: Non-static method Settings::setHostName() should not be called statically in C:\website\www.networksteve.com\forum\_lib\AutoConfig.php on line 20

Strict Standards: Non-static method Settings::addHostAlias() should not be called statically in C:\website\www.networksteve.com\forum\_lib\AutoConfig.php on line 22

Strict Standards: Non-static method Settings::setSiteRoot() should not be called statically in C:\website\www.networksteve.com\forum\_lib\AutoConfig.php on line 28

Strict Standards: Non-static method Settings::setDsn() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 16

Strict Standards: Non-static method Settings::setTitle() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 19

Strict Standards: Non-static method Settings::setDescription() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 20

Strict Standards: Non-static method Settings::setSiteRoot() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 24

Strict Standards: Non-static method Settings::setShowDeleted() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 31

Strict Standards: Non-static method Settings::setRecentTopicsDuration() should not be called statically in C:\website\www.networksteve.com\forum\_site\Config.php on line 36

Strict Standards: Non-static method Settings::test() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 28

Strict Standards: Non-static method Skin::test() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 29

Strict Standards: Non-static method Settings::getSkin() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 102

Strict Standards: Non-static method Settings::getSiteRoot() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 32

Strict Standards: Non-static method Settings::getDsn() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 35

Strict Standards: Non-static method Form::field() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Init.php on line 39

Strict Standards: Non-static method Form::fieldExists() should not be called statically, assuming $this from incompatible context in C:\website\www.networksteve.com\forum\_lib\Entity\User.php on line 92

Strict Standards: Non-static method Form::fieldExists() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 15

Strict Standards: Non-static method Form::field() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 17

Strict Standards: Non-static method Settings::getShowDeleted() should not be called statically, assuming $this from incompatible context in C:\website\www.networksteve.com\forum\_lib\Entity\Topic.php on line 138

Strict Standards: Non-static method Entity_Post::queryPosts() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 21

Strict Standards: Non-static method Settings::getShowDeleted() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Entity\Post.php on line 111

Strict Standards: Non-static method Skin::showHeader() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 23

Strict Standards: Non-static method Skin::includeFile() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 46

Strict Standards: Non-static method Settings::getSkin() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 91
Configuration of Certificate Authority for NPS (Network Steve Forum)
Configuration of Certificate Authority for NPS
Hi Guys, I have searched the forums previously, and found some useful information, but I need clarification on a couple of minor points. This is the previous thread that I answered a few of my questions: http://social.technet.microsoft.com/Forums/en-AU/winserverNIS/thread/5783c3ca-203b-4cb3-9ba8-e5e6c8838805 My remaining question is: would best practises advice me to install the certificate authority server on a Domain Controller? I am left wondering, if I should DCPROMO my radius server and then create the certificate authority role. My other option is to use one of my current Domain Contollers and install the certificate authority role on that server, and leave the radius server as just a member of the domain. If I do it this way, would I need to push out the Certificates via Group Policy to the Radius Server? Am I missing a step? And again which is the preferred best practice method. I am doing all of this for 802.1x authentication w/ PEAP. Thanks, Steve
March 12th, 2012 9:55pm

You can install it on a DC, however it is highly not recommended nor advised, due to complications with recovery, removing a CA (you have to demote it first), a DC disables write-behind cache, which optimizes the AD database but effectively reduces performance fopr *anything* you install on a DC, and more. . Here are my notes on it: ================================================================== ================================================================== Installing CA on a DC Technet thread: "AD CS on domain controller?" 6/13/2011 http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/064e671a-2e69-4627-9477-c2ed444c3fce You can install a CA on a DC. Best practice is to try at least keep the roles separated due to a number of reasons, such as recovery complexity, demotion, services processing overhead, security, etc. What I can say is if you install a CA on a DC, you don't have to manually publish the CRL, CDP, AIA, etc, in AD. . Read comments on it in the following threads: TechNet: "Certificate Services, install on domain controller?" 09/06/2010 http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/66cd9712-b44a-406b-b77f-07ee945bf80f Quoted by Paul Adare, MVP: Security, in the thread above: "Installing any additional role on a domain controller is not good from a strict security perspective in that you want to try to minimize the attack surface on your DCs. With AD CS you have another problem in that you cannot remove Active Directory (in the event you want to decommission a DC for example) without first removing AD CS from that DC." . TechNet: "Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?" 09/7/2010 http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042 Quoted from Sander Berfouwer, MVP, in the thread above: "Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations: After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted. Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly. Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema. You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default tombstone lifetime) It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk. The role is fairly easily moved to another server. .Ace Fekay MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2012 3:28am

Hi Ace, Thanks for the reply. I just need to hammer out a few details, if you dont mind. If i do install the CA on a seperate server, I would have to use 2008 R2 Enterprise to get the appropriate templates. When i create the CA Enterprise Root, should I create the a secondary CA server to do the signing and distrubtion of digital certs for security practises? After creating the ROOT server, and then shutting it down as recommended, will that effect anything? Finally, one of the nice things you pointed out with having the CA on the DC, was that I would not need to publish the certfs in active directory. If I have the CA as a seperate role, how do I go about publishing the certs. My eventual goal is to have our Radius Cert authenticate the AD users, so Im just trying to see how everything ties in together. Thanks, Steve
March 13th, 2012 10:19am

Actually Windows 2008 R2 Standard and Enterprise both give you the ability to use v2 and v3 templates. This was a new added feature for 2008 R2. THe only difference between the two, is Standard does not provide gteh ability for web based certificate requests. . Sure, you can take the root offline. I would really suggest for further certificate questions to post them to the security group, since that is the focus of that forum. Maybe we can get this moved. . Tiger, Can we get this moved to the Security Forum? . Thank you, AceAce Fekay MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
March 13th, 2012 12:39pm


Strict Standards: Non-static method Settings::getRecentTopicsLimit() should not be called statically, assuming $this from incompatible context in C:\website\www.networksteve.com\forum\_lib\Entity\Topic.php on line 120

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics

Strict Standards: Non-static method Skin::showFooter() should not be called statically in C:\website\www.networksteve.com\forum\topic.php on line 119

Strict Standards: Non-static method Skin::includeFile() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 56

Strict Standards: Non-static method Settings::getSkin() should not be called statically in C:\website\www.networksteve.com\forum\_lib\Skin.php on line 91