hello,

I have 2 questions with regards to Offline ROOT CA in a 2 TIER Hierarchy :

(1) Is it necessary to to map the Namespace of Active Directory to an Offline CAs Registry Configuration ? I didnt do this step in my lab env and find this in some but but not all the online posts as well. what happens if we don't run this command on offline CA ?

For instance:  certutil.exe setreg ca\DSConfigDN CN=Configuration,DC=lab,DC=com 

(2) What happens if i do not publish the ROOT CA certificate via "certutil -dspublish -f xxx.cer ROOTCA " command but instead just  push the root certificate  using Default Domain Group Policy Object to "Trusted Root Auth" store on all the domain machines ?  What are the pros/cons of using the certutil method vs the GPO method ?  

Thanks

Neeraj

• Edited by Neeraj_Shah 16 hours 48 minutes ago typo

> Is it necessary to to map the Namespace of Active Directory to an Offline CAs Registry Configuration ?

it is necessary only if you configure LDAP URLs for CRL Dsitribution Points and Authority Information Access extensions on Root CA (not recommended).

> What are the pros/cons of using the certutil method vs the GPO method ?  

different scopes. When publishing in Active Directory, it is downloaded to all *forest* members, while GPO covers only limited scope (domain, site or OU).