I'm working on a solution that will publish CA certs and CRLs to a highly available HTTP location using NLB (or maybe a hardware equivalent) only, no publishing to LDAP will be done. In a test lab, I have an 2K3 offline root CA and two 2K8 R2 subordinate enterprise CAs.I was wondering if it would be possible (or even wise!) to replace the local AIA/CDP publishing location (typically %WinDir%\System32\CertSrv\CertEnroll) with a UNC path pointing to a DFS target. I was then planning to use the same DFS target as the folder for the virtual directory of the HTTP location, so that any CA certificates or CRLs published at any of the servers would be replicated between the servers, keeping the HTTP location up-to-date without any administrative intervention. Is this a wise thing to attempt, or are there better ways of accomplishing the same task?I did look at using a custom exit module, but documentation seems a bit sparse on the subject, the 2K3 PKI Ops Guide was a bit disappointing! Any pointers here would also be appreciated.Steve G

That would work, but I would not replace the default, I would just add an additional location.Brian