Hi all, We currently use a Windows 2000 server as a RAS (VPN) server. I am in the process of deploying a Routing and Remote Access service on a Windows 2008 server and I learned about a new protocol "SSTP" that can be used for better security. By reading about the SSTP protocol, I also learned that a Windows CA server needs to be in place to issue certificates. We currently do not have any CA servers in our domain and I see there are two options to integrate it, Enterprise CA or Stand Alone CA. So, I have a couple questions. 1. What is the best way to go about integrating the CA server, Enterprise or Stand Alone? 2. Can the CA server be a domain controller? Is it recommended? Thanks in advance.

> 1. What is the best way to go about integrating the CA server, > Enterprise or Stand Alone? I prefer enterprise because it is sometimes possible to set up autoenrollment for different kinds of certificates. These might be of some help, http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx http://technet.microsoft.com/en-us/library/cc731352(WS.10).aspx http://blogs.technet.com/b/rrasblog/archive/2007/02/02/configuring-the-vpn-server-to-accept-sstp-connections.aspx In a lot of environments that require better security, you might deploy two, one that is a standalone root and and enterprise subordinate CA. The only thing that the offline root CA does is issue the subordinate CA cert for the issuing enterprise CA and then the system is taken offline and kept secure. > 2. Can the CA server be a domain controller? Is it recommended? Yes and no (reasons for no primarily involve security of the CA and the possibility of having to revoke and reissue all of the certificates at and below a CA in the event of a breach) -- Mike Burr

Thanks Mike! When I go through the process of adding the "Active Directory Certificates Services" Role on the 2008 server, my only option is stand alone. The Enterprice is disabled. The server is already part of the domain. Is there any reason why is disabled? On another question, as far as I understand, the CA server will issue certificates for the domain controllers, what is the purpose of these certicates to the domain controllers? I read a message on a forum about domain controllers certificates expiring or something. I just want to make sure nothing will be affected in our domain, by integrating the CA server. Once the CA server is integrated, do the certificates need to be installed on the client machines that will be connecting to the VPN server? Thanks.

How are you logged in? Enterprise requires you to be a enterprise admin. Domain controllers use them for things like secure ldap communication. I am not sure about maintaining their validity. I believe as long as the CA is available they will automatically renew the cert but I am not sure about that. Setting up a CA infrastructure shouldnt be taken lightly. You should lay out a heirarchy and put together policies for issuing and controlling certificates. I am unsure about the client question but I dont believe the certs are need on the clients unless you use client certificates for authentication of the users.