What are the main reasons to having a Three Tier architecture? What would be the design question that I would need to ask myself in order to make a decision on 2 verse 3 tiers? Thanks, Paul

Three Tier Architecture offers highest security when compared to Two Tier Architecture

On Mon, 6 Jun 2011 05:10:49 +0000, krymer wrote: Three Tier Architecture offers highest security when compared to Two Tier Architecture Contrary to what some Microsoft documentation asserts, this simply isn't the case. The only time one really needs a 3 tier infrastructure is when for whatever reason, one needs to assert two or more radically different sets of policy. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Maybe Computer Science should be in the College of Theology. -- R. S. Barton

Paul is quite correct, I'd advise you work on the premise of a two-tier PKI unless you have a very clear requirement that dictates you deploy three tiers. Furthermore, some of the Microsoft documentation has been updated to reflect the more pragmatic approach. “Designing a three-tier hierarchy with intermediate CAs increases the complexity of the environment. Requirements to implement different policies can be implemented in a two-tier hierarchy with additional Issuing CAs. The Windows Server product group states that there are no scale limitations that require a middle tier, so avoid using intermediate CAs unless there is a compelling business reason for doing so.” Scraped from the ADCS Infrastructure Planning and Design Guide at: http://technet.microsoft.com/en-us/library/ff630887.aspx Dave

I get called in to fix the Two-Tier PKI infrastructure and implement Three-Tier PKI infrastructure.Thanks.

On Tue, 7 Jun 2011 02:57:35 +0000, krymer wrote: I get called in to fix the Two-Tier PKI infrastructure and implement Three-Tier PKI infrastructure. Properly implemented, there is nothing to fix when a two tier PKI is implemented. Your statement about a three tier being inherently more secure than a two tier is simply factually incorrect. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Those who can't write, write help files.