Se connecter
 
AccueilLibrairieFormationTéléchargementsSupport techniqueCommunautésForums
Pour les professionnels de l’informatique >
Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?

Traitée Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?

  • mardi 7 septembre 2010 14:04
     
     
    Connectez-vous pour voter
    0

    Is there a good reason not to install CA role on a 2008 domain controller ?  and could the role be moved fairly easily to another server later if required ?

    thanks

     

Toutes les réponses

  • mardi 7 septembre 2010 14:10
     
     
    Connectez-vous pour voter
    0

    There is no good reason to use it. Use a member server instead...

    hth
    Marcin

     
  • mardi 7 septembre 2010 15:37
     
     Traitée
    Connectez-vous pour voter
    3

    Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations:

    • After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted.
    • Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly.
    • Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema.
    • You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default tombstone lifetime)
    • It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk.

    The role is fairly easily moved to another server.

    • Proposé comme réponse Mike KlineMVP mardi 7 septembre 2010 15:41
    • Marqué comme réponse TechJet 2011 mardi 7 septembre 2010 20:19
    •  
     
  • mardi 7 septembre 2010 20:20
     
     
    Connectez-vous pour voter
    0
    Thanks Sander.
     
  • mardi 7 septembre 2010 22:44
     
     
    Connectez-vous pour voter
    0

    Putting a CA on a DC will also complicate your backup/recovery strategy.  Much simpler to keep the roles separate.

    Alexei

     
  • jeudi 9 septembre 2010 05:59
    Modérateur
     
     
    Connectez-vous pour voter
    0

    Hi,

     

    Besides the above information, here are the best practices:

     

    Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure

    http://www.microsoft.com/downloads/details.aspx?familyid=0BC67F4E-4FCF-4717-89E8-D0EE5E23A242&displaylang=en

     

    Hope it helps.

     

    Regards,

    Bruce

     
  • lundi 30 mai 2011 18:57
     
     
    Connectez-vous pour voter
    0

    Hello Sander Berkouwer,

    My situation is the following: CA in WS2003 which is a DC and I want to migrate it to WS2008 which is also a DC.

    CA is Standard edition.

    Can you recommend me if this decission is a good one?

     
  • lundi 9 janvier 2012 22:39
     
     
    Connectez-vous pour voter
    0

    Hi,

     

    Besides the above information, here are the best practices:

     

    Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure

    http://www.microsoft.com/downloads/details.aspx?familyid=0BC67F4E-4FCF-4717-89E8-D0EE5E23A242&displaylang=en

     

    Hope it helps.

     

    Regards,

    Bruce


    This is for server 2003, is there an updated version for server 2008?  Is everything contained within still hold true for 2008?

    Regards,

    Brett

     
  • jeudi 20 décembre 2012 13:35
     
     
    Connectez-vous pour voter
    0

    Hi,

    I have exactly the same situation (CA in WS2003 and i'm going to migrate to 2008). What would be the best option?

    Thank you.