So, I started this AD2008 months ago and would like to thank all those who has given me help in the past. I am on the last few steps in getting a DC decommissioned. What I have learned is not too put so many roles on a DC and is makes it very difficult to manage...at least for someone like me. Anyhow, the last two pieces are PKI and IAS. After reading on PKI, I decided to build a parallel PKI and transition over to it. Currently we have an Offline Root CA (2003) that is part of the domain----the new Offline Root CA will be server 2008 R2 and NOT part of the domain. 2 Suborinate CAs which happen to be on our two Domain Controllers..One of which I am trying to decommission..----the two new Subordinate CAs will not be on domain controllers but rather dedicated servers (VMs) Here are some of my quesitons on the new PKI - 1. the new offline root CA..standard or enterprise? 2. Would two subordinate CAs be overkill? (Loosing at the services now, I see templates for DC Authentication, DC, Web Server, IAS, CA Exchange, Directory Email Replication, and Computer certificates being issues and issued. As a matter of fact, a lot of the certificates looks like it has expired already..(can I delete them?) It's odd because it looks like all the computer certificates are being issued by one of the CAs, the other only issued one computer certificate. and the rest were DC, DC authenticaton, etc.... Is there anything you guys suggest I look at? 3. Can the subordinate CA be part of the domain? 4. Do the subordinate CA need to be on dedicated servers? 5. Going back to IAS....since it is being issued a certificate...should I get PKI going first and then move IAS over? 6. Can IAS be on a DC or does it need to be on a dedicated server? I know these are a lot of questions but if I screw this up...our public safety officers will not be able to connect to Netmotion (mobile VPN), vendors cannot VPN in to work on issues, and our internal wireless will go kaput. I want to be as thorough as possible. Thanks in advance!

1) Standard is enough for Root CAs. Note that Root CA SHOULD be Standalone CA (and not Enterprise) and without any network connection. 2) you don't need to delete expired certificates. If you have autoenrollment policy enabled, this will autoarchive expired certificates. You can setup another subordinate CA and assign these templates to it. And remove them from old CA. 3) yes. In that case you just setup Enterprise Subordinate CA. 4) it is recommended to decrease possible attack surface. 5) at first you should setup new PKI. 6) it is recommended to setup IAS on member server. But RADIUS can be installed on domain controller (or all domain controllers).http://en-us.sysadmins.lv

Vadims, On point 6 you recommend setting up IAS on a member server. I was curious why you recommended a member server over installing IAS on a domain controller. I'm only asking because of the material I have read states: To optimize IAS authentication and authorization response times and minimize network traffic, install IAS on a domain controller. Is there anything in your experience where installing IAS on a DC has caused a problem of some sort?

this depends. When IAS is installed on domain controllers IAS operators must have domain admins permissions. In a case when there are no dedicated IAS administrators you can install it on domain controllers without any issues.http://en-us.sysadmins.lv

Thanks all for your very helpful posts. I just wanted to clarify one point...please keep in mind this is all new to me and I am pretty much learning as I go....IAS is role on a windows server and radius is the clients on the IAS server? Can IAS only be on one server or can I put it on all of our domain controllers? If it was on multiple servers, it would still be just that once instance right? It would just replicate across all the servers like DNS? I would like to create some type of redundancy in the even that one of the servers do go down. I am still trying to grasp how IAS, Radius, and Certificate Authorities, and PKI all tie in together. Can you guys help point me in the right direction? I think if we didn't have an existing setup and I was to build it from scratch i would better understand this. The thing is that the whole infrasture was already built and based on the forums and what I have read, it is not the right way to do it. Our root ca is currently online and is a domain member..out sub ca are all domain controllers. I'm scared to death to change anything in fear of breaking something and not being able to fix it.... WIth that being said, a lot of the suggestions that were made on this board has helped a lot...

You need to learn more about IAS (look at a TechNet library). > Can IAS only be on one server or can I put it on all of our domain controllers? you can put it on all domain controllers. However this can be useles if IAS client don't support multiple RADIUS servers. For example our WAPs (wireless access points) support only one RADIUS server. > I am still trying to grasp how IAS, Radius, and Certificate Authorities, and PKI all tie in together basically (as I understand) the following process occur: client sends authentication request to IAS server. IAS server forwards this request to other RADIUS servers or directly to domain controller. Once domain controller authenticate this client (or reject authentication), it send a response back to IAS (or through other RADIUS servers). Based on authentication information IAS applies required policies to client and allow connection. http://technet.microsoft.com/en-us/network/bb643123.aspxhttp://en-us.sysadmins.lv

Thanks Vadims. I would like to mark your answer as the answer but wanted to wait a few days to see anyone elses thoughts. But I will definately follow your suggestions.