An enterprise CA is designed to provide natural fault tolerance in an Active Directory environment. If one enterprise CA does not work or is not available, client services will automatically attempt enrollment with the next available enterprise CA in the forest. No errors are generated and no user interaction is required. For more information, see "Online Enterprise Issuing CAs" later in this document. http://technet.microsoft.com/en-us/library/cc787550(WS.10).aspx I've read the above article and the "Online" Enterprise Issuing CAs" but I cant figure out how this "natural fault tolerance" works. Our setup: 1 Offline Root CA 2 Issuing CA's (subordinates) Clients get their certificate via autoenrollement with GPO's How do the clients know what the addresses are of issuing CA's? (In the autoenrollement process). Where can I define the addresses of the issuing CA's. Is there a document the explains in detail how the fail-over mechanism works? All tips and suggentions are more than welcome.

Hi, All Enterprise CA will create a enrollment service object in the Active Directory (CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Confgiruation,DC=domain,DC=com). When user requests a certificate by using the Certificate MMC snap-in, the certificate requester does not access the issuing CA directly by using its IP address. The certificate requester will enumerate all registered enrollment services in Active Directory (enrollment services container in the configuration partition) and sends its request to a CA that can enroll the certificate type that the user wants. Thanks.

If you install one Root CA and two Issuing CA's. Is the Root CA unable to auto-enroll certificates by default ? You just want to let the two Subordinate CA issue certificates.Thanx