Install CA on RODC
Can I install a CA on a RODC? I am needing a solution to authenticate users into an 3rd party app such as servicenow. I would like to build a RODC with LDAPS, however we have no CA servers and figured the RODC would be a good place. Any thoughts?
April 17th, 2012 1:49pm
Hello,
I would not recommend installing a CA on a DC since if you want to demote the DC you will be asked to remove the CA. In this case, you will have to migrate the CA to another server.
I would recommend installing a CA on a member server.
Another thing is that it is recommended that the root CA will be kept offline for security reasons. For that, it is recommended to use a Root CA and subordinate ones and keeping only subordinate ones online.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2012 2:03pm
Hello,
I would not recommend installing a CA on a DC since if you want to demote the DC you will be asked to remove the CA. In this case, you will have to migrate the CA to another server.
I would recommend installing a CA on a member server.
Another thing is that it is recommended that the root CA will be kept offline for security reasons. For that, it is recommended to use a Root CA and subordinate ones and keeping only subordinate ones online.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
April 17th, 2012 2:03pm
An RODC is frequently used when you cannot physically guarantee security. I cant think of why I'd want to put my CA in that same type of situation.Mark Morowczynski |PFE-Platforms |http://blogs.technet.com/b/markmoro
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2012 3:35pm
An RODC is frequently used when you cannot physically guarantee security. I cant think of why I'd want to put my CA in that same type of situation.Mark Morowczynski |PFE-Platforms |http://blogs.technet.com/b/markmoro
April 17th, 2012 3:35pm
I would agree with Mark and that enhances the fact that, for security reasons, you should not add a CA on an RODC. If your RODC is physically secured then you can go through installing the CA but don't remember that:
The root CA should be kept offline for security reasonshaving a CA on a DC increases troubleshooting complexity especially when you want to demote the DC
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2012 3:42pm
Hello,
CAs on a DC is not recommended, even not from Micrsoft.
So use a domain member server instead. Also RODCs are made for locations with reduced security and no need for domain admins.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
April 17th, 2012 5:21pm
Hello,
CAs on a DC is not recommended, even not from Micrsoft.
So use a domain member server instead. Also RODCs are made for locations with reduced security and no need for domain admins.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2012 5:21pm
Hi,
Agree with others that it is not recommended to install CA on Domain Controller. For more information, please refer to this thread:
Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042
Regards,
Bruce
April 17th, 2012 10:22pm
Hi,
Agree with others that it is not recommended to install CA on Domain Controller. For more information, please refer to this thread:
Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042
Regards,
Bruce
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2012 10:22pm
I am just trying to find a solution to run ldaps on a RODC to allow an external vendor to pull LDAP fields to populate there app. We currently do not have a CA server and I was hoping I wouldn't need one, after reading it looks like I will need a CA
server for LDAPS and was trying to find a cheaper solution. Is there another way that is cost effective? Right now it looks like making a ROOT CA server then a CA subordinate server and then hiding the root CA or turning traffic off to it. I am in
the planning phase now.
JD
April 18th, 2012 8:37am
I am just trying to find a solution to run ldaps on a RODC to allow an external vendor to pull LDAP fields to populate there app. We currently do not have a CA server and I was hoping I wouldn't need one, after reading it looks like I will need a CA
server for LDAPS and was trying to find a cheaper solution. Is there another way that is cost effective? Right now it looks like making a ROOT CA server then a CA subordinate server and then hiding the root CA or turning traffic off to it. I am in
the planning phase now.
JD
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2012 8:37am
Also this is for windows 2008 R2
April 18th, 2012 8:39am
Also this is for windows 2008 R2
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2012 8:39am
You could buy a certificate from a trusted certificate issuer such as Digicert.com or verisign.com, it it can be tailored as a Domain Controller / Kerberos certificate.
This would active LDAPS on the DC and external vendors would trust the certificate. When I think of this, should you not put something between the DC and the external vendor as a security layer?www.twitter.com/danielullmark
April 24th, 2012 9:52am
You could buy a certificate from a trusted certificate issuer such as Digicert.com or verisign.com, it it can be tailored as a Domain Controller / Kerberos certificate.
This would active LDAPS on the DC and external vendors would trust the certificate. When I think of this, should you not put something between the DC and the external vendor as a security layer?www.twitter.com/danielullmark
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2012 9:52am
I will have a firewall open to just the ldaps and only the IP addresses I assign will have access. I am setting up a lab and i am going to try open ssl to see if i can sign it with that. I asked rapidssl.com and they said unless the DC is exposed then they
can't issue a cert.
Thank you,
JD
April 24th, 2012 10:20am
I will have a firewall open to just the ldaps and only the IP addresses I assign will have access. I am setting up a lab and i am going to try open ssl to see if i can sign it with that. I asked rapidssl.com and they said unless the DC is exposed then they
can't issue a cert.
Thank you,
JD
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2012 10:20am
Found my answer... Found this on another post, thought I would share.
Used OPENSSL
Generate the cert using this syntax:
openssl req -x509 -nodes -days 1825 -newkey rsa:1024 -keyout mycert.pem
-out mycert.pem
openssl pkcs12 -export -in mycert.pem -out mycert.p12
_________________________________________
Then you import the cert into:
- DC - "Personal" Certificates Store
- DC - "Trusted root Certification Authorities" Certificates Store
- HOST CONNECTING USING LDP.EXE FROM - "Trusted root Certification Authorities" Certificates Store
April 24th, 2012 4:44pm