subordinate redundancy
Hello all... I have a case and i need your help... I have one root ca which is off line and one subordinate win2003, what i need... In the same lan to have two subordinates in order to have redundancy... I have to install a separate sub or there is a way for replication? Thanks dkotix
October 10th, 2009 2:43pm
no, there is no replication. if the actual SUB is an enterprise CA (AD integrated), you just need to install another one and configure it with the same set of templates. clients use whatever authority offeres that template, so you will have them equal.ondrej.
Free Windows Admin Tool Kit Click here and download it now
October 10th, 2009 4:00pm
Ondrej proposed a good solution but it will provide redundancy only for issuing new certificates. In case of CA failure you will need to restore the issuing CA before its CRL expires (otherwise the relying parties won't be able to check certificate validation). If you really need a high available solution use Windows 2008 Server Active Directory Certificate Services and set up a failover cluster. More info can be found here http://www.microsoft.com/downloads/details.aspx?FamilyID=15c75333-be26-4955-a32c-03077daf1631&displaylang=en.Best regardsMartin Rublik
October 10th, 2009 9:14pm
not always necessary. You probably have the CRLs in AD which is high available in itself and if you are using HTTP CRLs, you can as well deploy NLB on some webserver. so the cluster service is not always necessary.ondrej.
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2009 3:13pm
Thanx Ondrej :-)
October 11th, 2009 3:23pm
Thanx Martin :-)
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2009 3:23pm
One more q Can i move a sub ca to another computer; with different computer name but the sub CA with the same name as the old one.?? Example Old one: Computer Name = subca.domain.net Ca name= winca.domain.net New one: Computer name = newsubca.domain.net Ca name= winca.domain.net Microsoft said the computer name must be the same. Notice it is Enterprise CA Thanks one more time guys :-) dkotix
October 11th, 2009 3:26pm
yes, the computer name must be the same.o.
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2009 3:37pm
So just for verification I create the bck close or unplug the active subca import the back data to new one; in case the restore fail shut the new one reopen the old one; leave from the company and going out for coffee. For the last procedure ( out for coffee) i am absolutely sure... :-) dkotix
October 11th, 2009 3:47pm
Pretty much. I find it best to use the CA backup and restore for the restoration.Make sure that you rejoine the domain with the new computer (and do not delete the old computer account). It is recommended to reset the accountBrian
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2009 11:53pm
Thanx Brian :-)
October 12th, 2009 12:15pm
This topic is archived. No further replies will be accepted.
Other recent topics
