Answered by:
Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?
Question
-
Answers
-
Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations:
- After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted.
- Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly.
- Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema.
- You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default tombstone lifetime)
- It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk.
The role is fairly easily moved to another server.
- Proposed as answer by Mike Kline Tuesday, September 7, 2010 3:41 PM
- Marked as answer by Forum2018 Tuesday, September 7, 2010 8:19 PM
All replies
-
-
Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations:
- After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted.
- Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly.
- Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema.
- You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default tombstone lifetime)
- It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk.
The role is fairly easily moved to another server.
- Proposed as answer by Mike Kline Tuesday, September 7, 2010 3:41 PM
- Marked as answer by Forum2018 Tuesday, September 7, 2010 8:19 PM
-
-
-
Hi,
Besides the above information, here are the best practices:
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
Hope it helps.
Regards,
Bruce
-
-
Hi,
Besides the above information, here are the best practices:
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
Hope it helps.
Regards,
Bruce
This is for server 2003, is there an updated version for server 2008? Is everything contained within still hold true for 2008?Regards,
Brett
-