I am new to AD Certificate Services.My plan is to have a two-tier CA hierarchy: Offline Root CA and online Issuing CA.My AD forest contains two domains: Root Domain and Normal Domain such that we have NormalDomain.RootDomain.com. Our AD domains run Windows Server 2003 functional level but with Windows Server 2008 schema extended.My root CA and issuing CA servers run Windows Server 2008 R2 and are member of the NormalDomain domain.I have installed ADCS on both CA servers with an admin right on the NormalDomain domain plus the Enterprise Admin right on the RootDomain domain. The ADCS was installed without using CAPolicy.inf file. I have not don any further configuration on both servers.But after I disabled the network connection on the root CA server, the ADCS on the issuing CA server failed to restart with Event ID 100 error: "Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.<MyCARoot> The revocation function was unable to check revocation because the revocation server was offline."I have re-enabled the network connection on the root CA server. But the ADCS service on the issuing CA server still fails. I have run pkiview to check <MyCARoot> and I noticed that my root CA has AIA Location #1 has status OK but CDP Location #1 has status Expired.The Extensions tab in the Properties of MyRootCA via Certification Authority utility shows four entries for CRL Distribution Point (CDP):- C:\Windows\System32\CertSrv ...- ldap://CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>...- http://<ServerDNSName>/CertEnroll/<CaName>...- file://<ServerDNSName>/CertEnroll/<CaName>...All of them are defaults after installing ADCS service.Could you please help me to fix my problem? I just want the ADCS service on the issuing CA server is in normal operation.My further reading and research tell me that the root CA server should not be a member of a domain and the root CA should not have AIA and CDP too.Can I just simply re-join the root CA server to a workgroup with the ADCS as it is?Thanks in advance.SJJ123

Sorry, but if you want to implement Offline Root CA you probably will have torecreate your hierarchy (if your PKI is fresh, this process shouldn't be so painful). At first you must not run Root CA on domain-joined comuter because domain computers must change their passwords every 30 days. Therefore you should setup Root CA on Standalone Root CA on workgroup-joined computer. Here is some helpful links for you:http://technet.microsoft.com/en-us/library/cc738786(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc737834(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786960(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc786218(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc784465(WS.10).aspxhttp://www.sysadmins.lv

Hi Vadims.Thank you very much.Is it possible to demote the Standalone Root CA from a domain to a workgroup? And then re-issue certificate to its subordinant CA (my issuing CA) with a new certificate including new CDP, ec.Are Windows Server 2003 CA checklists still good for Windows Server 2008?Thanks,

Yes it is possible. Here is several steps:1) Disable DeltaCRL publishing (if DeltaCRL was enabled);2) increase Base CRL publishing periods (bt default Base CRL is published every week, but Offline CA may require longer periods, for example 3 months)and configure Base CRL overlap settings (overlap period may be between 1 and several weeks);3) publish new CRL with new long validity period;4) make CA full backup (including CA keys);5) backup CA configuration from registry (HKLM\System\CurrentControlSet\Services\CertSvc\);6) remove CA role from domain server7) On standalone server set up CA role. During private key creation you will must specify existing key an import PFX certificate from backup.8) after CA role installation import configuration settings from .reg file (that was created in step 5)9) In CA console import CA database from backup (that was created in step 4).this is short description of CA migration so depending fromyour current configurationseveral changes might be required.http://www.sysadmins.lv

Hi Vadims,Thank you very much for the info.I will rebuild my offline root CA and online issuing CA as you suggested in the first email.I will follow Brian Komar's book "Windows Server 2008 PKI and Certificate Security" to re-create them. But the book gives an example of 3 tier CA hierarchy with Offline Root CA, Offline Policy CA, andOnline Issuing CA. For my case, I will setup my root CA with requirements from both Offline Root CA and Offline Policy CA in the book.The configuration settings of key character length 2048 and hash algorithm sha256 are used in the book. Should I go for 1024 key length and sha128? What are best practice recommendations?Thanks,SJJ123

You can use 2048bit and SHA256 for both CAsas used in the book.http://www.sysadmins.lv

Hi Vadims,Does Windows XP Sp3 support both? I assume Windows 7 supports both.If not, I can use 1024bit and SHA128 on the issuing CA server. Am I right?Thanks.SJJ123

Initially Windows XP and Windows Server 2003 doesn't support SHA2 hashing algorithms. However there is an update:http://support.microsoft.com/kb/968730after installing this, these OSs can recognize SHA2. p.s. I don't sure if there is key length limitation for operating systems (however some applications and hardware has this limitation). In general - hashing algorithm support is more actual question. http://www.sysadmins.lv