locked
Exchange server is also a Certificate Authority. Anyway to separate them? RRS feed

  • Question

  • Hi everyone,

    I just wanted to ask some question regarding the exchange. I just started administering a network and found something strange.

    Well basically we have an exchange server 2003 hosted on windows 2003 that is also acting as a CA. Is this good practise to have a CA and exchange hosted on the same server?

    Also on the network there is a DC that is acting as a separate CA and both have totally different certificates. Is there a way to combine them on a single server?

    Thanks in advance.

    Wednesday, April 20, 2011 10:08 AM

Answers

  • On Wed, 20 Apr 2011 10:08:54 +0000, YPadmin wrote:
     
    >I just wanted to ask some question regarding the exchange. I just started administering a network and found something strange.
    >
    >Well basically we have an exchange server 2003 hosted on windows 2003 that is also acting as a CA. Is this good practise to have a CA and exchange hosted on the same server?
     
    If you onlyhave one server then it's what you have to do. But putting
    a CA on a shared machine isn't the best idea. Running it in a VM would
    be acceptable.
     
    >Also on the network there is a DC that is acting as a separate CA and both have totally different certificates. Is there a way to combine them on a single server?
     
    Not that I know of. You can reissue certificates from one of them and
    remove it. You should be asking this question in the O/S forums,
    though.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, April 21, 2011 1:46 AM

All replies

  • On Wed, 20 Apr 2011 10:08:54 +0000, YPadmin wrote:
     
    >I just wanted to ask some question regarding the exchange. I just started administering a network and found something strange.
    >
    >Well basically we have an exchange server 2003 hosted on windows 2003 that is also acting as a CA. Is this good practise to have a CA and exchange hosted on the same server?
     
    If you onlyhave one server then it's what you have to do. But putting
    a CA on a shared machine isn't the best idea. Running it in a VM would
    be acceptable.
     
    >Also on the network there is a DC that is acting as a separate CA and both have totally different certificates. Is there a way to combine them on a single server?
     
    Not that I know of. You can reissue certificates from one of them and
    remove it. You should be asking this question in the O/S forums,
    though.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, April 21, 2011 1:46 AM
  • Personally, I wouldn't put a CA on either an Exchange Server or a DC.  It complicates (amongst other things) recovery, maintenance and upgrades.

    As Rich suggests, consider virtualising machines to assist with role separation.


    Tony
    Thursday, April 21, 2011 2:09 AM
  • Thank you both for the replies.

    I will ask in the O\S forums as suggested. However I have a questions regarding Exchange and the CA on it. I have noticed that in the CA on it, it has a certificate for one of the DC's but not the other. When we turn of this particular DC we loose connection to the exchange even though the other DC is still online. Is this because it doesn't have the certificate of the other DC?

    Thanks in advance.

    Thursday, April 21, 2011 7:43 AM
  • On Thu, 21 Apr 2011 07:43:41 +0000, YPadmin wrote:
     
    >
    >
    >Thank you both for the replies.
    >
    >I will ask in the O\S forums as suggested. However I have a questions regarding Exchange and the CA on it. I have noticed that in the CA on it, it has a certificate for one of the DC's but not the other. When we turn of this particular DC we loose connection to the exchange even though the other DC is still online. Is this because it doesn't have the certificate of the other DC?
     
    What does "lose the connection" mean? If you have two DCs and you shut
    down the one that Exchange is using, it takes a while for Exchange to
    discover the problem and switch to the other DC. If you restart the
    system attendant service it should perform a topology discovery and
    switch to the active DC.
     
    It's quite possible that your Exchange server doesn't have the CA's
    root certificate in its local certificate store as a "trusted root
    certificate". That's easy enough to remedy, though.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, April 22, 2011 12:47 AM