Anyone have a hint for me here. I Have an child domain deployed in a forest with an "empty root". I need to enable certificate services in a child domin and am trying to plan a heirarchy. I do see lots of documentation about doing an offline root,however I do not believe I will have that luxury. So in my heirarch does it matter if I put the enterprise root in my forest root and subordinate ca in the child domain?
The offline root recomendiation, aka a multi-tiered hiearchy, is a security recommendation to ensure that the certificate chain is not easily compromised. It should be noted that the CA structure and the domain structure are independent so as long as you set the correct permissions on the templates for enrollment you can place your Enterprise CA anywhere in the forest. I would recommend having an offline standalone CA and a subordinate Enterprise CA as your issuing CA. There are of course many things to consider when planing a PKI heirarchy and the following book is a good reference: http://www.microsoft.com/mspress/books/6745.aspx. I would also recommend reading the following papers as well:
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.