AD CS Design and scalability question
good day, everyone. have question cetrificate services design.
let's have 1 company consisted 1 site have 500 users in it. , company have ad cs server deployed. 2008 r2 single enterprise root ca, domain member, no other ca servers, no additional issuing servers.
in recent future company planning buy company, locating in other town. have sort of wan connection between them, connection slow , unreliable. company2 has total mess in it infrastructure , lots of users , on time workstations migrated in company1's domain. in end 1 ad domain left.
the question is: valid solution set subordinate issuing ca in company2's site users company1 obtain certificates root ca , users company2 obtain certificates subordinate ca? assume root ca's certificate added trusted list on computers in both sites.
hi,
the certificate enrollment process not site awareness. means enrollment code not see site client , ca in. enrollment code queries list of enrollment service objects, , based on templates ca supports , template user/computer attempting enroll how works.
if more 1 ca able issue certificate, selects ca enroll against randomly. however, following options may achieve similar result:
- create 2 certificate template same usage and add them different ca. example, add certificate template root ca , template b subordinate ca.
- manually specify ca when request certificate.
hope helps.
this posting provided "as is" no warranties, , confers no rights. please remember click “mark answer” on post helps you, , click “unmark answer” if marked post not answer question. can beneficial other community members reading thread.
Windows Server > Security
Comments
Post a Comment