Disaster Recovery / fault tolerance for Enterprise CA.
Hello,
My organisation's DR is (at a high level) to have services available from its production and DR locations, and for most services these would be available at any time should one or other location become unavailable.
In windows terms this is pretty easy for services such as AD, DNS, DHCP, File and Print etc.
So my question is: How do we create this same kind of fault tolerance or failover for an enterprise certificate authority?
What have others done with regard to this? One possible challenge is that the CA is on the primary DC at the production site.
Thanks
Greg
September 13th, 2011 8:48pm
Here is an official whitepaper:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=331
Also you may deploy multiple issuing CAs (for example per each remote site). However this increases management costs. And the last — service clustering doesn't implies regular backup strategy. In any way you must backup your servers/services to restore
failed server/service.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2011 10:43am
Hi Greg,
Active Directory Certificate Services in Windows Server 2008 is support for 2 node active/passive clustering. You can configure CA clustering
according to the whitepaper that Vadims provided.
Regarding Disaster Recovery Procedures for ADCS, please refer to the following articles:
Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)
http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directory-certificate-services-adcs.aspx
Designing and Implementing a PKI: Part V Disaster Recovery
http://blogs.technet.com/b/askds/archive/2011/04/07/designing-and-implementing-a-pki-part-v-disaster-recovery.aspx
Hope it helps.
Regards,
Bruce
September 16th, 2011 1:59am