Hi, I have a domain with AD the domain is dominio.local. I have two servers with the service Active Directory Certificate Services with Windows 2008 Enteprise with SP2, the first it is name is cs1 (Root Standalone) and the second is cs2 (Subordinate Enterprise). The question is the next, Can I instal other server AD CS for example: CS3 (Root Standalone) CS4 (Subordinate Enterprise) Can CS4 have problems of incompatibility with the other server CS3? Can coexist in the same envinronment two AD CS Root Standalone and Subordinate Enterprise in the same domain? Thanks a lot :> AJ

If you are designing PKI environment, it would be better to reference below link. http://awinish.wordpress.com/2010/12/29/designing-and-implementing-a-pki/ Regards Awinish Vishwakarma MY BLOG: awinish.wordpress.com This posting is provided AS-IS with no warranties/guarantees and confers no rights.

In addition see this, it is also a good article about PKI. http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspxBest regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

This forum is for Active Directory. I would suggest you repost at: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads This forum is specific to PKI and security. -- Paul Bergson MVP - Directory Services MCITP: Enterprise Administrator MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, Vista, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

Hello, to create a subordinate Enterprise CA, you should have an Enterprise root CA. AFAIK, there will be no conflits with the Root Standalone CA. More if you ask in the forum that Paul already suggested. Note that for security reasons it is recommended to keep offline the Enterprise root CA. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator

Hi, Thanks for our effort. Could you deploy the next envinronment in the domain Dominio.local? 1 tier ---> CA1-Root CA2-Root ( the two servers are Standalone) 2 tier ---> CA3-Sub CA4-Sub (the two server are Enterprise) Rgds. AJ

Hi, As far as I know, you can install multiple root CAs in one forest. However, this is not recommended as you are now installing separate trust points, where separate trust points are not needed. Please go through the below link for best practices: http://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx Hope this helps. Regards, Bruce Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

On Wed, 21 Sep 2011 12:11:49 +0000, Mr X wrote: to create a subordinate Enterprise CA, you should have an Enterprise root CA. Sorry but this is completely untrue and not necessary. There is no requirement that the root be an Enterprise CA if the subordinate is going to be an Enterprise CA. Having an Enterprise root CA is never really a good idea from a security perspective. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca That does not compute.

Hi, Thanks for the help :> I think the best solution is the next: If the domain is dominio.local the infrastructure should be: Tier 1 --> CA1 (Root,Stand-Alone) Recomended for the Best Practices (More Security) Tier 2 --> CA2 y CA3 (Subordinates, Enteprises). Is it posible has two subordinates enteprise in the same domain in the tier 2? Rgds. AJ

Yes, you can have two subordinate CAs. Regards, Bruce