Is there a good reason not to install AD Certificate Services on a 2008 domain controller ?


  • Is there a good reason not to install CA role on a 2008 domain controller ?  and could the role be moved fairly easily to another server later if required ?


    mardi 7 septembre 2010 14:04


  • Depending on your Active Directory Certificate Services deployment scenario, you might encounter the following situations:

    • After you install a Certificate Authority on a Domain Controller, the Domain Controller can no longer be renamed or demoted.
    • Switching to an Enterprise Root Authority (for v3 templates) from a Standard Root Authority requires reinstallation of Windows Server. Reinstallation of Domain Controllers is not to be taken lightly.
    • Upgrading the Certificate Authority requires upgrading the Active Directory Domain Controller and thus Active Directory Schema.
    • You cannot deploy an offline root Certificate Authority on a Domain Controller (and keep it offline for a period longer than the default tombstone lifetime)
    • It is unadvisable to deploy an Internet-facing Certificate Authority of Online Responder on a Domain Controller. This is a serious security risk.

    The role is fairly easily moved to another server.

    • Proposé comme réponse Mike Kline mardi 7 septembre 2010 15:41
    • Marqué comme réponse Forum2015 mardi 7 septembre 2010 20:19
    mardi 7 septembre 2010 15:37

Toutes les réponses