Configuration of Certificate Authority for NPS
Hi Guys, I have searched the forums previously, and found some useful information, but I need clarification on a couple of minor points. This is the previous thread that I answered a few of my questions: http://social.technet.microsoft.com/Forums/en-AU/winserverNIS/thread/5783c3ca-203b-4cb3-9ba8-e5e6c8838805 My remaining question is: would best practises advice me to install the certificate authority server on a Domain Controller? I am left wondering, if I should DCPROMO my radius server and then create the certificate authority role. My other option is to use one of my current Domain Contollers and install the certificate authority role on that server, and leave the radius server as just a member of the domain. If I do it this way, would I need to push out the Certificates via Group Policy to the Radius Server? Am I missing a step? And again which is the preferred best practice method. I am doing all of this for 802.1x authentication w/ PEAP. Thanks, Steve
March 13th, 2012 12:55am
You can install it on a DC, however it is highly not recommended nor advised, due to complications with recovery, removing a CA (you have to demote it first), a DC disables write-behind cache, which optimizes the AD database but effectively reduces performance fopr *anything* you install on a DC, and more. . Here are my notes on it: ================================================================== ================================================================== Installing CA on a DC Technet thread: "AD CS on domain controller?" 6/13/2011 http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/064e671a-2e69-4627-9477-c2ed444c3fce You can install a CA on a DC. Best practice is to try at least keep the roles separated due to a number of reasons, such as recovery complexity, demotion, services processing overhead, security, etc. What I can say is if you install a CA on a DC, you don't have to manually publish the CRL, CDP, AIA, etc, in AD. . Read comments on it in the following threads: TechNet: "Certificate Services, install on domain controller?" 09/06/2010 http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/66cd9712-b44a-406b-b77f-07ee945bf80f Quoted by Paul Adare, MVP: Security, in the thread above: "Installing any additional role on a domain controller is not good from a strict security perspective in that you want to try to minimize the attack surface on your DCs. With AD CS you have another problem in that you cannot remove Active Directory (in the event you want to decommission a DC for example) without first removing AD CS from that DC." . TechNet: "Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?" 09/7/2010 http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042 Quoted from Sander Berfouwer, MVP, in the thread above: "Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations: After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted. Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly. Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema. You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default tombstone lifetime) It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk. The role is fairly easily moved to another server. .Ace Fekay MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php This posting is provided AS-IS with no warranties or guarantees and confers no rights.
March 13th, 2012 6:28am
Hi Ace, Thanks for the reply. I just need to hammer out a few details, if you dont mind. If i do install the CA on a seperate server, I would have to use 2008 R2 Enterprise to get the appropriate templates. When i create the CA Enterprise Root, should I create the a secondary CA server to do the signing and distrubtion of digital certs for security practises? After creating the ROOT server, and then shutting it down as recommended, will that effect anything? Finally, one of the nice things you pointed out with having the CA on the DC, was that I would not need to publish the certfs in active directory. If I have the CA as a seperate role, how do I go about publishing the certs. My eventual goal is to have our Radius Cert authenticate the AD users, so Im just trying to see how everything ties in together. Thanks, Steve
March 13th, 2012 1:19pm
Actually Windows 2008 R2 Standard and Enterprise both give you the ability to use v2 and v3 templates. This was a new added feature for 2008 R2. THe only difference between the two, is Standard does not provide gteh ability for web based certificate requests. . Sure, you can take the root offline. I would really suggest for further certificate questions to post them to the security group, since that is the focus of that forum. Maybe we can get this moved. . Tiger, Can we get this moved to the Security Forum? . Thank you, AceAce Fekay MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php This posting is provided AS-IS with no warranties or guarantees and confers no rights.
March 13th, 2012 3:39pm