Re: Cert Authority
- From: "Altria" <urbantec92@xxxxxxx>
- Date: Fri, 5 Dec 2008 09:13:00 -0500
Thanks Dusko!
Well I didnt mean encryption amongst DCs in terms of replication I was
speaking in terms of AD bind authentication to work under port 636 (sldap).
The most important aspect would be secure ldap authentication.
This is a huge network, and yes I do not think it is difficult to implement
but it appears that it would seem prudent not to have it on a Domain
Controller, simply in terms of separate recovery procedures without
impacting other services on the box.
There will be no loss of money but certainly connectivity issues, if secure
ldap is required for services in which we provide. I would like sldap on all
available DCs for auth purposes.
Does this make sense?
Thanks,
Altria
"Dusko Savatovic" <nospam.savatovic@xxxxxxxxx> wrote in message
news:edcQigrVJHA.6116@xxxxxxxxxxxxxxxxxxxxxxx
Interesting question.
The answer, of course, depends on many factors.
You must asses your current infrastructure.
- What is the size of your network,
- What is the size of your company,
- What is the number of users of your service,
- Can a compromise of your CA cost you a lot of money?
When you compare the cost of potential loss and recovery of CA with the
cost of keeping this service on existing hardware or dedicated hardware,
you should reach your own decision
Some technical answers follow.
1. There is no reason why you should not install CA on a DC.
2. If you plan installing CA on a new hardware, I'd recommend Win 2008
Certificate Services. This is one component that was much improved in Win
Srv 2008.
3. For protecting network traffic between your servers in your domain, you
can use IPSec without certificates. You can use Kerberos or preshared
secret.
4. Active Directory replication traffic between DC's is already encrypted.
Conclusion
Adding CA role to a server is really not difficult.
Operating CA is not difficult.
The difficult part is keeping it safe from compromise and healthy. Also,
restoring it's functionality in case of failure or compromise.
You must have a clear policy and steps how to transfer existing CA to a
new server, what to do in case of compromise or loss of CA. This usualy
means replacing all issued certificates. Not a big deal if you have a 100
local users, but a big deal if you have 10000 users who are paying
customers and their certificates are stored on smartcards etc.
"Altria" <urbantec92@xxxxxxx> wrote in message
news:ejrlFylVJHA.4384@xxxxxxxxxxxxxxxxxxxxxxx
Hello All,
I often come across different opinions on CA installations. I have seen
that it is not recommended on a DC but I was wondering what is MS best
practice. I cannot fiind the technet article that states this. I do agree
that it should be off a DC simply becasue it is another service that
would be better off isolated, and since it requires it own
infrastructure, it should be treated as a specialized service with
dedicated hardware.
BTW, Win2k3--Ent CA for only encryption between DC's within the domain
not for clients
Any advice
thanks,
Altria
.
- References:
- Cert Authority
- From: Altria
- Re: Cert Authority
- From: Dusko Savatovic
- Cert Authority
- Prev by Date: Re: System Idle Process
- Next by Date: Re: Add a trust to our domain
- Previous by thread: Re: Cert Authority
- Next by thread: Tech-Ed 2008 DVDs
- Index(es):
Relevant Pages
|
