Best if you have a two tier CA. The root CA is standalone, not joined to a domain and kept shut down except for when the issuing CA needs to renew its cert. We use a VM for this, and just leave it shut down.
The issuing CA is best *not* run on a DC - I used a member server, and that's its only purpose. I suppose a CA can run on a DC, but I personally wouldn't do that, unless absolutely resource-restricted. Both are 2008R2 machines, but I'm sure we'll be upgrading to 2012R2 soon. Kurt On Thu, Nov 19, 2015 at 6:58 AM, David McSpadden <[email protected]> wrote: > Do you have to have these in Active Directory? > > If so do they run on the DC’s? > > In a 2012 R2 environment that is? > > > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are not > one of the named recipient(s) or otherwise have reason to believe that you > have received this message in error, please notify the sender and delete > this message immediately from your computer. Any other use, retention, > dissemination, forwarding, printing, or copying of this email is strictly > prohibited. > > > Please consider the environment before printing this email.
