Why when bringing up new DCs?
I was under the impression that the root would only issue certs to the 2nd tier, and the secondary issue the necessary certs to DCs. Am I missing something? Kurt On Tue, Nov 11, 2014 at 10:54 AM, Michael B. Smith <[email protected]> wrote: > I advise my clients to only have the root server online when they are > bringing up new DCs or renewing certificates for the sub-authorities. > > > > They also bring it up once a month to patch and then create a full-backup > that goes over-the-wire to the DR site. > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Ryan Shugart > Sent: Tuesday, November 11, 2014 1:35 PM > To: [email protected] > Subject: [NTSysADM] making ADCS resilient > > > > Hi all: > > I just got handed our ADCS infrastructure, and was told that it > needs to be made resilient. From what I can tell (the old admin left the > company and didn’t provide much documentation) we have a two teer > infrastructure with one root CA and two issuing CAs all running Windows > Server 2012. From what I’m seeing now, I should be able to bring up another > issuing server relatively easily in our DR site and we should be good there, > but the root CA isn’t that easy to make resilient, and may not need to be > resilient anyway. So question, is this what people are doing to make ADCS > resilient across multiple sites or is there another approach to this? > > Thanks. > > Ryan > > > > Ryan Shugart > > LAN Administrator > > MiTek USA, MiTek Denver > > 314-851-7414 > > > > > MiTek Holdings, Inc., 2011-2014, All Rights Reserved > > ________________________________ > > This communication (including any attachments) contains information which is > confidential and may also be privileged. It is for the exclusive use of the > intended recipient(s). If you are not the intended recipient(s), please note > that any distribution, copying, or use of this communication or the > information in it is strictly prohibited. If you have received this > communication in error, please notify the sender immediately and then > destroy any copies of it.
