I've got a CA setup as a cluster. One of the issues I'm coming across is that if there is a failover the CRL may not be updated on the new node. I've created a POSH script to update the CRL during failover however I can't seem to get it to execute properly. It works fine under my user account but not via POSH and the SYSTEM account. Anyone know what permissions I need to setup to get Clustering to be able to update a CRL?David Jenkins

The account attempting to run the command must have Manage CA permissions on the CA. Brian

I understand about the permissions. I'm thinking about elevated priviledges. I'm attempting to use the SYSTEM account which would already have access I think. Right now my choices are to use a Scheduled Task which can elevate priviledges or maybe setup a service. David Jenkins

I have always used a scheduled task with a dedicated service account (which allows for elevation) Also, I never use any shares/web publications on the local device so that it does not matter which node is active Brian

I was hoping to make the failover smarter by adding a script that would for the CRL to update after a failover. Without being able to elevate it won't work. :(David Jenkins

Again, there is no need to do a CRL update if you use proper locations for the CRL publication (to a web cluster that is not located on the CA server itself) Then it does not matter. Brian

That's a nice answer if you have plenty of servers to dish out a web cluster on top of the ca cluster. In my case this isn't going to happen. David Jenkins

So, keeping your poorly designed server in mind: - Have IIS point to a directory that is stored on the cluster drive, not to the local file system of the nodes - Have a 65:file://\\server\shareoncluster\%3%8%9.crl entry on the CDP extensions registry entry - Have the web server make this available as an 6:http://pkiwebservername.example.com/crlpublishlocation/%3%8%9.crl Solved. Brian

WTF get off your high horse. Poorly designed! I guess you better go tell Microsoft that since I followed their instructions. Yes I could cluster a drive. I just thought instead of wasting space I would just attach a POSH script to the clustered service so it can update the CRL's after a failover. Dang. David Jenkins

so long.... I tried to answer your question, you refused every answer, because you wanted to use your poorly designed system Tried to help, you rejected it Buh bye, only the second person that i have marked as never answer... So long

Maybe if you didn't attempt to insult people first. Really your the first person I've ever called a Jerk on this forum. Jerk!David Jenkins

Last reply... I gave you answers throughout. You refused to follow them Your design has issues (see revocation checking best practices) Sorry