Can a CA be on a VMware Virtual Machine?

yes, CA can be installed on virtual machine.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

that cool news. The CA we have now is on a DC do I need to keep it on a DC or can I install it on a member server?

it is highly recommended to run CA server on a dedicated server (that don't run any other services).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

that cool news. The CA we have now is on a DC do I need to keep it on a DC or can I install it on a member server? You should have one Standalone CA that is kept offline and is not a domain member. Turned on at least once a month for CRL updates. Your subbordinate CA should be an Enterprise CA and can be attached to a domain controller but recommended to be on a standalone(Single-Service as stated by Vadims) server. Possible Solution for Standalone CA Virtual Machine Since you are utilizing Virtual Machines.. you can store the Virtual Machine an an External Drive or Large capacity Flash Drive that you connect and power-on once a month. Keep stored in a safe place as this is your master KEY for your PKI Infrastructure! In-fact... maybe Two External Hard Disks, one that can be copied from one external to the other incase one is dropped during transportation. However.. you will need to copy the offline VM to the other external hard drive everytime you connect it online for update! Or... Have both drives connected and clone the VM to the other disk while offline. Technet Article: Active Directory Certificate Services Migration to Microsoft Windows Server 2008 R2. http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx Best Practice Analyzer Built-in to Server Manager for Windows Server 2008 R2 for AD Certificate Services - Leads to dozens of articles on Best Practice for ADCS. http://technet.microsoft.com/en-us/library/dd379549(WS.10).aspx Hope this helps! Best Regards, Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator Microsoft® Community Contributor Award 2011 This posting is "as is" without warranties and confers no rights.

Storing the CA Virtual Machine an an External Drive or Large capacity Flash will be good for home evaluation or learning PKI(Home use only), and is not recommended for large organizations.Thanks.

On Mon, 6 Jun 2011 20:03:36 +0000, Steve Kline wrote: You should have one Standalone CA that is kept offline and is not a domain member. Turned on at least once a month for CRL updates. For an offline root CA, publishing a new CRL every month is far to frequent in the real world. A typical CRL publication period for an offline root is some where between every 6 months or once annually. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Transistor: A sibling, opposite of transbrother.

On Tue, 7 Jun 2011 04:40:19 +0000, krymer wrote: Storing the CA? Virtual Machine an an External Drive or Large capacity?Flash will be good for home evaluation or learning PKI(Home use only), and is not recommended for large organizations. Not. As long as the virtual machine is properly secured there is nothing inherently wrong with any organization using virtual machines for their CAs. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca In God we trust; all else we walk through.

On Mon, 6 Jun 2011 20:03:36 +0000, Steve Kline wrote: You should have one Standalone CA that is kept offline and is not a domain member. Turned on at least once a month for CRL updates. For an offline root CA, publishing a new CRL every month is far to frequent in the real world. A typical CRL publication period for an offline root is some where between every 6 months or once annually. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Transistor: A sibling, opposite of transbrother. I would agree with the lifecycle 6mo to 1yr, but this factor has high dependency on the size of the organization. I would agree that an organization of 500 or less, 6mo to 1yr is sufficient. Any larger, just to make it a task, not a chore to stand and wait for the updates to finish would be best to update once a month. Also, the frequent timing this way prevents an out-of-sight and out of mind, "oops I forgot," mistake. Making good routines in the IT Dept. gives best practice on what should be done. Storing the CA? Virtual Machine an an External Drive or Large capacity?Flash will be good for home evaluation or learning PKI(Home use only), and is not recommended for large organizations. Krymer, would largely disagree with you, a physical server kept offline is a waste of resource. Instead of contributing to your infrastructure, you order a server with some sort of RAID config which adds more components that aren't being used in the day-to-day production lifecycle of your infrastructure... With everyone going "Green"... a virtual machine is just the type of Production system that is a tolerable expense of a license that can be utilized in an offline state. Proper physical security should always be considered... afterall this is a PKI Infrastructure we're discussing here. Any concept that this could be tossed in just some desk in an unsecured location probably violates any security policies your organization has anyway! Please note my prior statements dilligently. Since you are utilizing Virtual Machines.. you can store the Virtual Machine an an External Drive or Large capacity Flash Drive that you connect and power-on once a month. Keep stored in a safe place as this is your master KEY for your PKI Infrastructure! In-fact... maybe Two External Hard Disks, one that can be copied from one external to the other incase one is dropped during transportation. However.. you will need to copy the offline VM to the other external hard drive everytime you connect it online for update! Best Regards, Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator Microsoft® Community Contributor Award 2011 This posting is "as is" without warranties and confers no rights.

On Tue, 7 Jun 2011 13:21:08 +0000, Steve Kline wrote: I would agree with the lifecycle 6mo to 1yr, but this factor has high dependency on the size of the organization. I would agree that an organization of 500 or less, 6mo to 1yr is sufficient. Any larger, just to make it a task, not a chore to stand and wait for the updates to finish would be best to update once a month. Also, the frequent timing this way prevents an?out-of-sight and out of mind, "oops I forgot," mistake. Making good routines in the IT Dept.?gives best practice on what should be done. You've this backwards. A large organization is more likely than a small organization to perform infrequent root CRL updates as they are much more likely to have an HSM attached to their root CA which would then require a key ceremony every time the root CA is brought online. In a lot of large organizations, a key ceremony can be tough to schedule as it requires a quorum of OCS holders to be present, and usually some form of strict auditing as well. Updates, for an offline CA, are pretty much irrelevant unless they are major like a service pack, or something that directly impacts AD CS. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca This login session: $13.76, but for you: $11.88.

On Tue, 7 Jun 2011 13:21:08 +0000, Steve Kline wrote: I would agree with the lifecycle 6mo to 1yr, but this factor has high dependency on the size of the organization. I would agree that an organization of 500 or less, 6mo to 1yr is sufficient. Any larger, just to make it a task, not a chore to stand and wait for the updates to finish would be best to update once a month. Also, the frequent timing this way prevents an?out-of-sight and out of mind, "oops I forgot," mistake. Making good routines in the IT Dept.?gives best practice on what should be done. You've this backwards. A large organization is more likely than a small organization to perform infrequent root CRL updates as they are much more likely to have an HSM attached to their root CA which would then require a key ceremony every time the root CA is brought online. In a lot of large organizations, a key ceremony can be tough to schedule as it requires a quorum of OCS holders to be present, and usually some form of strict auditing as well. Updates, for an offline CA, are pretty much irrelevant unless they are major like a service pack, or something that directly impacts AD CS. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca This login session: $13.76, but for you: $11.88. Thanks for that thorough explaination Paul. Appreciated! Best Regards,Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator Microsoft® Community Contributor Award 2011 This posting is "as is" without warranties and confers no rights.