(2) Offline root CA or just (1) ?

(2) Offline root CA or just (1) ?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
(2) Offline root CA or just (1) ? Marlon Brown 01-22-2007
Posted by Marlon Brown on January 22, 2007, 12:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I am planning to deploy a two-tier hierarchy;

Initially I planned (2) servers dedicatd for the Offline Root CAs
and

(2) servers dedicated for the Issuing Servers CA's (onlinbe).

My question is, since the Offline Root CA's would remain turned off for the
most part, is it recommend the deployment of two servers (for disaster
recovery purposes)? Or people would usually deploy just one ?

15,000 user accounts
Win2003 AD (two forests, two domains)
6,000 WinXP computer accounts



Posted by Paul Adare on January 22, 2007, 12:42 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
microsoft.public.security news group, Marlon Brown

> Initially I planned (2) servers dedicatd for the Offline Root CAs
> and
>
> (2) servers dedicated for the Issuing Servers CA's (onlinbe).
>
> My question is, since the Offline Root CA's would remain turned off for the
> most part, is it recommend the deployment of two servers (for disaster
> recovery purposes)? Or people would usually deploy just one ?

Only 1. Each PKI can only have a single root. If you deploy two
roots, then you've got two PKIs.


--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld


Posted by Brian Komar [MVP] on January 22, 2007, 12:44 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
MarlonBrown@discussions.microsoft.com
says...
> I am planning to deploy a two-tier hierarchy;
>
> Initially I planned (2) servers dedicatd for the Offline Root CAs
> and
>
> (2) servers dedicated for the Issuing Servers CA's (onlinbe).
>
> My question is, since the Offline Root CA's would remain turned off for the
> most part, is it recommend the deployment of two servers (for disaster
> recovery purposes)? Or people would usually deploy just one ?
>
> 15,000 user accounts
> Win2003 AD (two forests, two domains)
> 6,000 WinXP computer accounts
>
>
>
I have never deployed with a standby offline root ca. WIth a good backup plan
and disaster
recovery documentation, you should be able to recover an offline CA in just a
few hours. No
realy need for a standby server. In fact, using disk imaging software, you are
talking
miunutes for recovery...
Brian

Posted by Marlon Brown on January 22, 2007, 1:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Great. Thanks.

> MarlonBrown@discussions.microsoft.com
> says...
>> I am planning to deploy a two-tier hierarchy;
>>
>> Initially I planned (2) servers dedicatd for the Offline Root CAs
>> and
>>
>> (2) servers dedicated for the Issuing Servers CA's (onlinbe).
>>
>> My question is, since the Offline Root CA's would remain turned off for
>> the
>> most part, is it recommend the deployment of two servers (for disaster
>> recovery purposes)? Or people would usually deploy just one ?
>>
>> 15,000 user accounts
>> Win2003 AD (two forests, two domains)
>> 6,000 WinXP computer accounts
>>
>>
>>
> I have never deployed with a standby offline root ca. WIth a good backup
> plan and disaster
> recovery documentation, you should be able to recover an offline CA in
> just a few hours. No
> realy need for a standby server. In fact, using disk imaging software, you
> are talking
> miunutes for recovery...
> Brian



Similar ThreadsPosted
Put offline a Root CA June 26, 2007, 5:14 am
How to:specify my Win2003 will be the offline Root CA, CAPolicy.inf January 23, 2007, 12:50 pm
Offline Root CA: Easy question on step 'Specify CRL distribution points' (newbie, please help) January 23, 2007, 5:51 pm
Possible conflicting info:Help file states that Offline Root CA canot be member server of domain? January 23, 2007, 5:27 pm
Clients no longer pick up the Root CA as a trusted root authority June 6, 2006, 6:59 pm
Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs March 19, 2008, 1:45 am
Migrating from single enterprise root CA to different root CA May 11, 2007, 6:43 am
Smartcard offline login and XP laptops November 23, 2008, 4:42 pm
Where is the offline CA's certificate store ? How to retrieve the issued cert's? April 27, 2006, 3:49 pm
MBSA 2.0 offline catalog discontinued - MBSA 2.0 will report "The catalog file is damaged or an invalid catalog" March 27, 2007, 9:07 pm

The site map in XML format XML site map

Contact Us | Privacy Policy