We’re in the process of updating our 5,000 user domain from Server 2003 A/D to 2008R2. We’ve replace a couple of our DC’s with 2008R2 and will have all of them replaced probably in the next couple of weeks. We will then set the domain to native mode. One of the things we’re also wanting to do is set up an enterprise certificate system for our internal systems. I’ve worked with the Windows servers for a while, but never was involved in the certificates much. I’ve found a lot of information on the specific instructions of installing the Enterprise authority roles on the server, but not really much on the design of the infrastructure (number of CA’s, location, etc.). Here is what we’ve come up with so far: 1)Set up a Windows Enterprise server on a non-domain (workgroup) server . Install the certificate services and configure a stand-alone, root certificate server. 2)In the domain, install certificate servers as a subordinate “Enterprise” CA. Then shut down the root CA to ensure it doesn’t get compromised. Assuming this is the correct path, should the subordinate CA be on a domain controller or a member server? I’ve seen comments that it shouldn’t be on the DC (this also matches my opinion to keep the DC’s as “clean” as possible), but most of the examples I’ve seen show them being installed on a DC. I found a “best practices” article from Microsoft that says to not use a DC, but the article was for 2003 and I don’t know if that’s still valid for 2008R2. Also, since the role is “Active Directory Certificate Services”, so does it have to be on the Active Directory server? Any comment, suggestions, or pointers would be appreciated.

Hello the placement of the Subordinate CA will depend on you, but in a large enterprise as yours, it will be suggested to placed it on a Member server in a secure location. The document below can help in your design http://www.microsoft.com/downloads/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5-acaf31de6dce&displaylang=en and scoll to the title: Windows Server 2008 Active Directory Certificate Services Step-By-Step Guide.docIsaac Oben MCITP:EA, MCSE

This might be of some help, http://technet.microsoft.com/en-us/library/ff630887.aspx > 1)Set up a Windows Enterprise server on a non-domain (workgroup) server > . Install the certificate services and configure a stand-alone, root > certificate server. > 2)In the domain, install certificate servers as a subordinate > Enterprise CA. Then shut down the root CA to ensure it doesnt get > compromised. Using a technology such as hyper-v, you can store the VHD for the system on a flash drive and store it securely, but you may want to make two copies in case one of the flash drives fails. Then you can store the flash drives in a safe or a safe deposit box. > Assuming this is the correct path, should the subordinate CA be on a > domain controller or a member server? This should definitely be a member server as it can be kept more secure. If a CA is compromised, all of the certificates issued by that CA and subordinate CAs would need to be revoked and reissued. -- Mike Burr

Thank for the link, this is the kind of information I'm looking for. So the subordinate CA, can be an "enterprise" CA, but does not need to be on a DC? Since the certificate role is titled "Active Directory Certificate Services", I wasn't sure if it had to be on an A/D server (domain controller).

Thank you for the link, I'll check it out. The servers (both the stand alone root and the subordinate CA) will be VMWare virtual machines, so we'll have the vmdk files stored.

Hi, "So the subordinate CA, can be an "enterprise" CA, but does not need to be on a DC? Since the certificate role is titled "Active Directory Certificate Services", I wasn't sure if it had to be on an A/D server (domain controller)." Yes, the subordinate CA can be an enterprise CA, known as enterprise subordinate CA. It is recommended to install Active Directory Certificate Services role on a member server. If there is anything unclear, please do not hesitate to respond back.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

We currently have a stand alone CA set up in the domain. It was originally put in by someone working with a consultant and was used to issue certificates for some internal systems, but it's just pretty much been just setting there otherwise. I realize we'll need to set up any certificates currently on the stand alone CA in the new server, but when we do put in the new enterprise certificate servers, will it "break" anything currently set up on the existing CA, or anything using certificates issued from the stand alone CA? Or can the stand alone and enterprise CA co-exist until we get the replacement certificates issued from the new system?

Hello, The Standalone CA can co-exist side by side the Enterprise CA as long as they have different Issuing names and are on different servers and the new CA will not break curent setup. But once you decide to get rid of the standalone, CA you may have to revoke all valid CA's that was issued by the standalone or make sure you force the apps etc to use the new CA issued by the Enterprise that way you can avoid errors etc.Isaac Oben MCITP:EA, MCSE

One more question. Can the enterprise sub CA issue certificates for non-domain members? Some of the certs issued by our current stand alone CA are for Unix/Linux systems. From what I understand, it seems like it should be able to (that's what the "web enrollment" is for, correct?), but I just wanted to make sure.

Yes, it can issue certificates to non domain members. YOu will need to generate a CSR from the requesting computer and then submit to the enterprise CA, then receive and install the cert on the non member server.Isaac Oben MCITP:EA, MCSE

Thank you for the information. So at this point, here's my plan: -Install 2008R2 enterprise server on workgroup machine -Install A/D Certificate Services, configure root CA, standalone -Install 2008R2 Enterprise on a domain member -Install A/D Certificate services, configure as enterprise, sub CA using cert from root shut down root CA and save virtual machine files. (Up to this point, no existing systems have been affected, the existing CA stand alone servers are functioning as they were). Then, when we're ready get rid of the existing "old" CA: - we revoke the certificates on the existing machines that had certs issued from the "old" CA - Issue new certs for these from the new sub CA - Remove the certificate services from the existing stand alone CA's Am I missing anything?

Hi, As the root CA is offline, you must configure the properties of the root CA to ensure correct revocation and chain building. For more information, please refer to the "Offline Root CA Configuration" section of the following article: http://technet.microsoft.com/en-us/library/cc779714(WS.10).aspx Although the existing "old" CA is a standalone CA, you can refer to the following article to ensure that all related objects is removed from AD: How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000 http://support.microsoft.com/kb/889250 This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How's everything going? We've not heard back from you in a few days and wanted to check if the suggestions help. If you need any further assistance, please do not hesitate to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.