Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Certificate Services

0 views
Skip to first unread message

Chris Hilton

unread,
Sep 5, 2005, 7:01:03 AM9/5/05
to
I am planning the implementation of PKI and require some advice. I am
currently running a 2003 domain. I would like to setup a hierarcy involving
an offline root CA and an online subordinate CA. I would like the online CA
to be an enterprise subordinate CA utilising AD.

1. Should (or can) the offline root be a stand alone root CA, or should I
install it as an enterprise offline root CA?

2. If I can (and do) install it as an enterprise offline root CA would it be
on a member server or a Domain controller? (if on a DC how will the domain
cope with a DC being offline?)

3. Can the offline CA be installed on a Virtual Server?
--
Chris

--
Chris

Wong Tuck Wah

unread,
Sep 5, 2005, 10:29:04 AM9/5/05
to
pls see in-line.


> 1. Should (or can) the offline root be a stand alone root CA, or should I
> install it as an enterprise offline root CA?

The root CA be used installed as either SA or Ent. But it is prefered to be
a standalone.


> 2. If I can (and do) install it as an enterprise offline root CA would it be
> on a member server or a Domain controller? (if on a DC how will the domain
> cope with a DC being offline?)

It is never recommended to be installed on a DC, except in a testing ot
training environment. If you bring down your DC, the AD replication will
experience problem with other DCs in the replication ring. So don't ever do
it.

> 3. Can the offline CA be installed on a Virtual Server?

Yes, no problem at all, as long as the guest OS is able to communicate with
the network.

HTH.

Paul Adare

unread,
Sep 5, 2005, 4:08:36 PM9/5/05
to
In article <416B1394-CF98-4D74...@microsoft.com>, in the
microsoft.public.security news group, =?Utf-8?B?V29uZyBUdWNrIFdhaA==?=
<WongT...@discussions.microsoft.com> says...

> pls see in-line.
>
>
> > 1. Should (or can) the offline root be a stand alone root CA, or should I
> > install it as an enterprise offline root CA?
>
> The root CA be used installed as either SA or Ent. But it is prefered to be
> a standalone.

By definition an offline root must be standalone. Your can't have an
Enterprise root offline.


>
>
> > 2. If I can (and do) install it as an enterprise offline root CA would it be
> > on a member server or a Domain controller? (if on a DC how will the domain
> > cope with a DC being offline?)
>
> It is never recommended to be installed on a DC, except in a testing ot
> training environment. If you bring down your DC, the AD replication will
> experience problem with other DCs in the replication ring. So don't ever do
> it.
>
> > 3. Can the offline CA be installed on a Virtual Server?
>
> Yes, no problem at all, as long as the guest OS is able to communicate with
> the network.

This won't be supported until R2 of Virtual Server is released.
>
> HTH.
>
>

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

Wong Tuck Wah

unread,
Sep 5, 2005, 9:04:01 PM9/5/05
to
Thanks for the clarification, Paul. I miss out this important point.
0 new messages