7

I am setting up a Microsoft AD to be my CA. After research, it looks like I need to have a domain controller before I can issue certs thru the CA. Would it be possible to place both the CA and the DC on the same server?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Kwazii
  • 85
  • 1
  • 2
  • 8

1 Answers1

11

You need to be joined to a domain to be an Enterprise CA, but you do not need to be domain joined in order to be a standalone CA. An Enterprise CA adds features that come along with being integrated with Active Directory, but the downside is that you cannot take it offline as you would do with a high-security root CA.

Yes it is possible to install AD CS on the same server as a domain controller. But it is not really recommended. It's best practice to have a domain controller just being a domain controller. The more services you install on one system, the more services you will lose when that one system goes down.

Edit: You can also explore more robust designs, such as having an offline root CA, and an Enterprise issuing CA.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Thank you, Splitting the services in my setup wouldn't matter availability wise. If i split them they would be on the same VM environment and if the VM server goes down, everything goes down! – Kwazii Jan 09 '13 at 21:01
  • 1
    Cool. Just throwing ideas out there. Also, I highly recommend the following step-by-step guides to simple PKI deployment. They're very informative: http://blogs.technet.com/b/mspfe/archive/2013/01/02/pki-deployment-step-by-step-guides.aspx – Ryan Ries Jan 09 '13 at 21:03
  • 1
    @Kwazii what do you mean "everything goes down"? My CA is OFF most of the time for security reasons. CA certificates stay valid when the CA is not active. – TomTom Jan 09 '13 at 21:35
  • My whole virtual infrastructure goes down... all my critical applications are with the same VM server for testing. – Kwazii Jan 09 '13 at 21:40
  • if your host goes down, all the guest will go down. That is true. However, if the individual guest blue screens, gets corrupted, gets overwhelmed by domain requests, etc, it would not necessary take down other guests. But if you have your CA running on the DC, and the only guest DC gets corrupted, you would also lose your CA. Then you would have to restore a DC to get your CA back. Having your CA on your DC also makes it harder to upgrade your domain later as it requires you to remove the CA from the DC before you can demote the DC. – Rex Jan 09 '13 at 22:35