Certificate Authority services on W2k forest



Peter
07-09-2005, 10:53 PM
I want to setup an internal CA to deploy 4 certificates to our users (even
though our total user count in this company is 5000). We do not have any
major plans to deploy additional certs for others.

Question:
Can i just install CA on a domain controller? MS' best best practice is to
use a 2 tier/3 tier method and NOT INSTALL CA on a DC. But in our situation,
we just need it to do a fast deployment. Deploying CA on 3 servers just
dont' justify the cost.

Let me know what the drawback is by installing it on a domain controller.

Eduard Koller [MSFT]
07-09-2005, 10:54 PM
Yes, you can deploy a CA on a DC, but you should probably consider following
the suggestions presented in this document:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

--
Eduard Koller[MS]

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Peter" <Peter@discussions.microsoft.com> wrote in message
news:908355E5-9D5A-4761-82C0-CD8B1CBA0857@microsoft.com...
>I want to setup an internal CA to deploy 4 certificates to our users (even
> though our total user count in this company is 5000). We do not have any
> major plans to deploy additional certs for others.
>
> Question:
> Can i just install CA on a domain controller? MS' best best practice is
> to
> use a 2 tier/3 tier method and NOT INSTALL CA on a DC. But in our
> situation,
> we just need it to do a fast deployment. Deploying CA on 3 servers just
> dont' justify the cost.
>
> Let me know what the drawback is by installing it on a domain controller.


Certificate Authority services on W2k forest