What are the main reasons to having a Three Tier architecture? What would be the design question that I would need to ask myself in order to make a decision on 2 verse 3 tiers? Thanks, Paul

Three Tier Architecture offers highest security when compared to Two Tier Architecture

On Mon, 6 Jun 2011 05:10:49 +0000, krymer wrote: Three Tier Architecture offers highest security when compared to Two Tier Architecture Contrary to what some Microsoft documentation asserts, this simply isn't the case. The only time one really needs a 3 tier infrastructure is when for whatever reason, one needs to assert two or more radically different sets of policy. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Maybe Computer Science should be in the College of Theology. -- R. S. Barton

Paul is quite correct, I'd advise you work on the premise of a two-tier PKI unless you have a very clear requirement that dictates you deploy three tiers. Furthermore, some of the Microsoft documentation has been updated to reflect the more pragmatic approach. “Designing a three-tier hierarchy with intermediate CAs increases the complexity of the environment. Requirements to implement different policies can be implemented in a two-tier hierarchy with additional Issuing CAs. The Windows Server product group states that there are no scale limitations that require a middle tier, so avoid using intermediate CAs unless there is a compelling business reason for doing so.” Scraped from the ADCS Infrastructure Planning and Design Guide at: http://technet.microsoft.com/en-us/library/ff630887.aspx Dave

I get called in to fix the Two-Tier PKI infrastructure and implement Three-Tier PKI infrastructure.Thanks.

On Tue, 7 Jun 2011 02:57:35 +0000, krymer wrote: I get called in to fix the Two-Tier PKI infrastructure and implement Three-Tier PKI infrastructure. Properly implemented, there is nothing to fix when a two tier PKI is implemented. Your statement about a three tier being inherently more secure than a two tier is simply factually incorrect. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Those who can't write, write help files.

One of the reasons is to have the root off line, another involves the different kinds of certificates that you might use in an enterprise (e.g. identity, signing, device, encryption) and another is the policy of relying parties and other requirements for federation. Start with the requirements and the impact on or the existing policies. As pointed out below a policy requirement and different object identifiers (if anyone really uses them) can drive this.