Single subnet LAN, one domain, one forest: If my CA is for internal use only, for Windows servers and clients and a few devices What revocation methods do I need to publish? (I don't want anything visible outside the LAN). Do I really need a dedicated server, or can I put it on say the WSUS server? What is the risk of putting it on a DC, since the IIS would not be accessible from outside the LAN? CarolChi

Hello, You can put in in your WSUS server, but this will depend how big your environment is. I wll not recommend to put it on a DC, becuase for security reason and also your don't want to place too much revocation/request traffic to your DCIsaac Oben MCITP:EA, MCSE,MCC View my MCP Certifications