Remove From My Forums

Active Directory Certificate Services and VMware Site Recovery Manager

Question
0

Sign in to vote

Does anyone have any experience with using VMware's SRM to failover an Enterprise CA to a new VMware host at a different site for the purposes of disaster recovery?

A customer I am working with is keen to virtualise their entire Windows estate. While I have suggested running two Enterprise CAs, one in each data centre, the customer is unconvinced of the need for the second CA and wants SRM to manage availability.

I don't have much experience with VMware and its associated technologies and am concerned about the risk of data corruption, particularly to the CA database, when SRM is involved.

Has anyone used this approach to provide availability for an Enterprise CA? Would it even be viewed as a supported configuration by Microsoft?

Steve G

Monday, September 5, 2011 8:10 AM

Answers

0

Sign in to vote
Hi Steven,

If your purpose is failover, you need to configure the CA as a failover cluster. For more information, please refer to:

Certification Authority Clustering Configuration and Troubleshooting Guide

http://technet.microsoft.com/en-us/library/cc742517(WS.10).aspx

Another option is making an effective disaster recovery plan to ensure that, in the event of failure of the server hosting Certificate Services, you can recover in a timely manner. However, this is not failover, so you have to complete the restore process to a new server in a timely manner with little effect on your organization. For more information, please refer to

Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directory-certificate-services-adcs.aspx

Regarding the VMware Site Recovery Manager, please understand that I’m not familiar with it and you may contract VMware support.

Regards,

Bruce

Forum Support

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Bruce-Liu Thursday, September 8, 2011 9:50 AM
- Marked as answer by Bruce-Liu Monday, September 12, 2011 3:01 PM
Thursday, September 8, 2011 9:50 AM
0

Sign in to vote
Yes. The only way to do failover is to configure the CA as a failover cluster.

Here are more information which may be helpful for you:

Designing and Implementing a PKI: Part V Disaster Recovery

http://blogs.technet.com/b/askds/archive/2011/04/07/designing-and-implementing-a-pki-part-v-disaster-recovery.aspx

Active Directory Certificate Services: backup/failover?

http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/13e2df02-89a2-4cad-85c0-10fdda12bc4e

Regards,

Bruce
- Marked as answer by Bruce-Liu Wednesday, September 21, 2011 9:17 AM
Friday, September 9, 2011 9:14 AM

All replies

0

Sign in to vote

why don't use two enterprise CAs? that should be an easy method.

Wednesday, September 7, 2011 7:24 AM
0

Sign in to vote
Hi Steven,

If your purpose is failover, you need to configure the CA as a failover cluster. For more information, please refer to:

Certification Authority Clustering Configuration and Troubleshooting Guide

http://technet.microsoft.com/en-us/library/cc742517(WS.10).aspx

Another option is making an effective disaster recovery plan to ensure that, in the event of failure of the server hosting Certificate Services, you can recover in a timely manner. However, this is not failover, so you have to complete the restore process to a new server in a timely manner with little effect on your organization. For more information, please refer to

Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directory-certificate-services-adcs.aspx

Regarding the VMware Site Recovery Manager, please understand that I’m not familiar with it and you may contract VMware support.

Regards,

Bruce

Forum Support

Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Bruce-Liu Thursday, September 8, 2011 9:50 AM
- Marked as answer by Bruce-Liu Monday, September 12, 2011 3:01 PM
Thursday, September 8, 2011 9:50 AM
0

Sign in to vote

Hi, Bruce,

Thanks for the reply. Are you stating that CA availabilty is only supported if accomplished through an active/passive cluster? If this is the case, that's fine, I can pursue my CA in each data centre option. For future reference, can I assume that providing availability for a CA server using VMware Site Recovery Manager is an unsupported configuration?

Steve G

Thursday, September 8, 2011 9:57 AM
0

Sign in to vote
Yes. The only way to do failover is to configure the CA as a failover cluster.

Here are more information which may be helpful for you:

Designing and Implementing a PKI: Part V Disaster Recovery

http://blogs.technet.com/b/askds/archive/2011/04/07/designing-and-implementing-a-pki-part-v-disaster-recovery.aspx

Active Directory Certificate Services: backup/failover?

http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/13e2df02-89a2-4cad-85c0-10fdda12bc4e

Regards,

Bruce
- Marked as answer by Bruce-Liu Wednesday, September 21, 2011 9:17 AM
Friday, September 9, 2011 9:14 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Active Directory Certificate Services and VMware Site Recovery Manager

Question

Answers

All replies