Can I install a CA on a RODC? I am needing a solution to authenticate users into an 3rd party app such as servicenow. I would like to build a RODC with LDAPS, however we have no CA servers and figured the RODC would be a good place. Any thoughts?

Hello, I would not recommend installing a CA on a DC since if you want to demote the DC you will be asked to remove the CA. In this case, you will have to migrate the CA to another server. I would recommend installing a CA on a member server. Another thing is that it is recommended that the root CA will be kept offline for security reasons. For that, it is recommended to use a Root CA and subordinate ones and keeping only subordinate ones online. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hello, I would not recommend installing a CA on a DC since if you want to demote the DC you will be asked to remove the CA. In this case, you will have to migrate the CA to another server. I would recommend installing a CA on a member server. Another thing is that it is recommended that the root CA will be kept offline for security reasons. For that, it is recommended to use a Root CA and subordinate ones and keeping only subordinate ones online. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

An RODC is frequently used when you cannot physically guarantee security. I cant think of why I'd want to put my CA in that same type of situation.Mark Morowczynski |PFE-Platforms |http://blogs.technet.com/b/markmoro

An RODC is frequently used when you cannot physically guarantee security. I cant think of why I'd want to put my CA in that same type of situation.Mark Morowczynski |PFE-Platforms |http://blogs.technet.com/b/markmoro

I would agree with Mark and that enhances the fact that, for security reasons, you should not add a CA on an RODC. If your RODC is physically secured then you can go through installing the CA but don't remember that: The root CA should be kept offline for security reasonshaving a CA on a DC increases troubleshooting complexity especially when you want to demote the DC This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hello, CAs on a DC is not recommended, even not from Micrsoft. So use a domain member server instead. Also RODCs are made for locations with reduced security and no need for domain admins.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, CAs on a DC is not recommended, even not from Micrsoft. So use a domain member server instead. Also RODCs are made for locations with reduced security and no need for domain admins.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hi, Agree with others that it is not recommended to install CA on Domain Controller. For more information, please refer to this thread: Is there a good reason not to install AD Certificate Services on a 2008 domain controller ? http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042 Regards, Bruce

Hi, Agree with others that it is not recommended to install CA on Domain Controller. For more information, please refer to this thread: Is there a good reason not to install AD Certificate Services on a 2008 domain controller ? http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042 Regards, Bruce

I am just trying to find a solution to run ldaps on a RODC to allow an external vendor to pull LDAP fields to populate there app. We currently do not have a CA server and I was hoping I wouldn't need one, after reading it looks like I will need a CA server for LDAPS and was trying to find a cheaper solution. Is there another way that is cost effective? Right now it looks like making a ROOT CA server then a CA subordinate server and then hiding the root CA or turning traffic off to it. I am in the planning phase now. JD

I am just trying to find a solution to run ldaps on a RODC to allow an external vendor to pull LDAP fields to populate there app. We currently do not have a CA server and I was hoping I wouldn't need one, after reading it looks like I will need a CA server for LDAPS and was trying to find a cheaper solution. Is there another way that is cost effective? Right now it looks like making a ROOT CA server then a CA subordinate server and then hiding the root CA or turning traffic off to it. I am in the planning phase now. JD

Also this is for windows 2008 R2

Also this is for windows 2008 R2

You could buy a certificate from a trusted certificate issuer such as Digicert.com or verisign.com, it it can be tailored as a Domain Controller / Kerberos certificate. This would active LDAPS on the DC and external vendors would trust the certificate. When I think of this, should you not put something between the DC and the external vendor as a security layer?www.twitter.com/danielullmark

You could buy a certificate from a trusted certificate issuer such as Digicert.com or verisign.com, it it can be tailored as a Domain Controller / Kerberos certificate. This would active LDAPS on the DC and external vendors would trust the certificate. When I think of this, should you not put something between the DC and the external vendor as a security layer?www.twitter.com/danielullmark

I will have a firewall open to just the ldaps and only the IP addresses I assign will have access. I am setting up a lab and i am going to try open ssl to see if i can sign it with that. I asked rapidssl.com and they said unless the DC is exposed then they can't issue a cert. Thank you, JD

I will have a firewall open to just the ldaps and only the IP addresses I assign will have access. I am setting up a lab and i am going to try open ssl to see if i can sign it with that. I asked rapidssl.com and they said unless the DC is exposed then they can't issue a cert. Thank you, JD

Found my answer... Found this on another post, thought I would share. Used OPENSSL Generate the cert using this syntax: openssl req -x509 -nodes -days 1825 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem openssl pkcs12 -export -in mycert.pem -out mycert.p12 _________________________________________ Then you import the cert into: - DC - "Personal" Certificates Store - DC - "Trusted root Certification Authorities" Certificates Store - HOST CONNECTING USING LDP.EXE FROM - "Trusted root Certification Authorities" Certificates Store