ADCS in Multi Domain Environment

Hello Experts, 

I am having an environment where I would like to setup my Certificate Services for Lync Server. Two Locations DC and DR, DC having 4 Servers for AD - 2 in MZ Zone and 2 in DMZ, DR having 1 in DMZ only. All are running 2012r2. DC MZ Servers will have FSMO roles running in distributed mode, 2* DMZ Servers will be serving the user requests.

Please advise me to whr I should install my CS Services, and how these will work in fail over or DC Scenario.

Thanks in Advance

Harjit S

August 31st, 2015 3:56am

Hi

You can install your CA server in your main DC. As default certificate CRL will be installed to Active Directory that will replicate with your Domain Controllers. In the event of a failure to the CA itself, will not stop Lync from working or certificates from being revoked because a valid CRL will be found in AD. You could adopt a root and subordinate CA model with an issuing CA in each DC if you wish to have a method of requesting certficates to a local CA at each DC.

The CA should be an enterprise CA, not standalone and should be on your "MZ" network. DMZ machines will be able to access the CA using HOSTS file entries.

One thing to note for DMZ machines is that they cannot lookup AD replicated CRLs. Therefore you should create a HTTP CRL lookup point at each DC for these servers.

thanks

Free Windows Admin Tool Kit Click here and download it now
August 31st, 2015 10:38am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics