none
Is there a good reason not to install AD Certificate Services on a 2008 domain controller ? RRS feed

  • Question

  • Is there a good reason not to install CA role on a 2008 domain controller ?  and could the role be moved fairly easily to another server later if required ?

    thanks

    Tuesday, September 7, 2010 2:04 PM

Answers

  • Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations:

    • After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted.
    • Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly.
    • Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema.
    • You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default tombstone lifetime)
    • It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk.

    The role is fairly easily moved to another server.

    • Proposed as answer by Mike Kline Tuesday, September 7, 2010 3:41 PM
    • Marked as answer by Forum2018 Tuesday, September 7, 2010 8:19 PM
    Tuesday, September 7, 2010 3:37 PM

All replies

  • There is no good reason to use it. Use a member server instead...

    hth
    Marcin

    Tuesday, September 7, 2010 2:10 PM
  • Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations:

    • After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted.
    • Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly.
    • Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema.
    • You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default tombstone lifetime)
    • It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk.

    The role is fairly easily moved to another server.

    • Proposed as answer by Mike Kline Tuesday, September 7, 2010 3:41 PM
    • Marked as answer by Forum2018 Tuesday, September 7, 2010 8:19 PM
    Tuesday, September 7, 2010 3:37 PM
  • Thanks Sander.
    Tuesday, September 7, 2010 8:20 PM
  • Putting a CA on a DC will also complicate your backup/recovery strategy.  Much simpler to keep the roles separate.

    Alexei

    Tuesday, September 7, 2010 10:44 PM
  • Hi,

     

    Besides the above information, here are the best practices:

     

    Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure

    http://www.microsoft.com/downloads/details.aspx?familyid=0BC67F4E-4FCF-4717-89E8-D0EE5E23A242&displaylang=en

     

    Hope it helps.

     

    Regards,

    Bruce

    Thursday, September 9, 2010 5:59 AM
  • Hello Sander Berkouwer,

    My situation is the following: CA in WS2003 which is a DC and I want to migrate it to WS2008 which is also a DC.

    CA is Standard edition.

    Can you recommend me if this decission is a good one?

    Monday, May 30, 2011 6:57 PM
  • Hi,

     

    Besides the above information, here are the best practices:

     

    Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure

    http://www.microsoft.com/downloads/details.aspx?familyid=0BC67F4E-4FCF-4717-89E8-D0EE5E23A242&displaylang=en

     

    Hope it helps.

     

    Regards,

    Bruce


    This is for server 2003, is there an updated version for server 2008?  Is everything contained within still hold true for 2008?

    Regards,

    Brett

    Monday, January 9, 2012 10:39 PM
  • Hi,

    I have exactly the same situation (CA in WS2003 and i'm going to migrate to 2008). What would be the best option?

    Thank you.

    Thursday, December 20, 2012 1:35 PM