I would like to set up a Windows 2008 (possibly R2) server as a CA, primarily as a means to authenticate wireless users (rather than using PSK - pre-shared keys). Realizing what the best practices are (I've been reading Brian Komar's MS Press book on the subject), but working with a limited budget in an environment (academic - school) that requires decent but not excessively stringent security, I have the following questions (below). Although best practice would be to configure a stand-alone CA and then take it offline after creating appropriate certs for a subordinate CA, it looks like I will need to settle for a single CA. In Brian Komar's book, I believe he uses the example of "Margie's Travel", a fictitous small business that cannot afford a full-fledged CA infrastructure. I am in a similar situation. Question 1. Can I install the CA on a domain controller? Is it correct that this option is "supported" but not recommended? I think the reason is that best practice for DCs is to install nothing on them besides AD DS and DNS. Are there other reasons not to do this? Reasons that would make me really regret installing the CA on a DC? Question 2 If I use autoenrollment via Group Policy, would I still need to install IIS on the DC? Question 3 If the answer to Question 2 is YES, then how much of a security risk would it be to install something like IIS 7.5 on a W2K8 R2 domain controller? It seems like installing IIS on a DC used to be considered bad practice. Some thoughts: - The DC is not directly accessible from outside the LAN. - I believe W2K8 R2 offers Active Directory Web Services (AD WS) which presumably requires IIS. Question 4 Can the AD CS role be installed on Windows 2008 (R2) Server Core? With full functionality? This link seems to suggest it can: http://security-24-7.com/category/server-core/ Now, is that ONLY Windows 2008 R2? Thank you in advance!

Hi, Wow, that’s a lot of questions. Let’s see if I can help. 1. Installing CA on DC: yes, this is supported. Here is a more elaborate answer: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042 2. Auto Enrollment and IIS: Auto Enrollment is not dependent on IIS. Please explain your question in more detail of provide a scenario since I may be missing your point. 3. Security risk from installing IIS on DC: NA, if you don’t install IIS. W2K8 R2 does have optional ADCS roles that require Web Services (Certificate Enrollment Web Service and Certificate Policy Web Service). However, these can be installed on a separate server, even from the CA, and they are designed to extend Certificate Services outside the local network. It sounds like these features are beyond what you require; therefore, using W2K8 R2 will not require installing IIS. 4. ADCS on Server Core: yes. There is full support for Certificate Services on Windows Server Core 2008 R2. See here: http://www.microsoft.com/windowsserver2008/en/us/r2-compare-core-installation.aspx Thanks, John

Thank you John! 1. Looks like an option then (commenting the comments of Sander Berkouwer in your link): - The DC would not be Internet facing (internal use only). - It would not be an offline root (even though I realize that this would be the most secure option). - If we used Windows 2008 (R2), I foresee no need to upgrade in the near future. - I realize that a CA cannot be renamed. The inability to demote the DC could possibly be an issue, but the CA role can be moved first. 2. Scenario? The CA would be used to issue certificates to WiFi laptop clients that are domain members. The certificates would be used to authenticate the laptop clients via a NPS (RADIUS server). This would be accomplished through autoenrollment and, according to your information then, would not be dependent on IIS. In fact, I tried this on a test network (just the autoenrollment option) and the client was able to receive the cert without IIS being installed anywhere. 4. AD CS on W2K8 R2 server core. This is good news. However, I might need to install the NPS (RADIUS) role on the DC as well and I believe that this role is NOT supported on Server Core - or not yet. Note: the number of laptop clients would currently (if the solution is implemented) be less than 10 and probably never exceed 20 (Small environement). Note: the "tradtional" CRL (Cert Revocation List) option would almost certainly suffice - no need for Online Responders.