Hello, My organisation's DR is (at a high level) to have services available from its production and DR locations, and for most services these would be available at any time should one or other location become unavailable. In windows terms this is pretty easy for services such as AD, DNS, DHCP, File and Print etc. So my question is: How do we create this same kind of fault tolerance or failover for an enterprise certificate authority? What have others done with regard to this? One possible challenge is that the CA is on the primary DC at the production site. Thanks Greg

Here is an official whitepaper: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=331 Also you may deploy multiple issuing CAs (for example per each remote site). However this increases management costs. And the last — service clustering doesn't implies regular backup strategy. In any way you must backup your servers/services to restore failed server/service. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Greg, Active Directory Certificate Services in Windows Server 2008 is support for 2 node active/passive clustering. You can configure CA clustering according to the whitepaper that Vadims provided. Regarding Disaster Recovery Procedures for ADCS, please refer to the following articles: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS) http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directory-certificate-services-adcs.aspx Designing and Implementing a PKI: Part V Disaster Recovery http://blogs.technet.com/b/askds/archive/2011/04/07/designing-and-implementing-a-pki-part-v-disaster-recovery.aspx Hope it helps. Regards, Bruce