Sorry. They issue certs from the root for LDAPS. There is no requirement for that, and I haven't investigated it in detail, but they believe it minimizes problems in bringing child domains online.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Tuesday, November 11, 2014 2:03 PM To: [email protected] Subject: Re: [NTSysADM] RE: making ADCS resilient Why when bringing up new DCs? I was under the impression that the root would only issue certs to the 2nd tier, and the secondary issue the necessary certs to DCs. Am I missing something? Kurt On Tue, Nov 11, 2014 at 10:54 AM, Michael B. Smith <[email protected]> wrote: > I advise my clients to only have the root server online when they are > bringing up new DCs or renewing certificates for the sub-authorities. > > > > They also bring it up once a month to patch and then create a > full-backup that goes over-the-wire to the DR site. > > > > From: [email protected] > [mailto:[email protected]] > On Behalf Of Ryan Shugart > Sent: Tuesday, November 11, 2014 1:35 PM > To: [email protected] > Subject: [NTSysADM] making ADCS resilient > > > > Hi all: > > I just got handed our ADCS infrastructure, and was told that > it needs to be made resilient. From what I can tell (the old admin > left the company and didn’t provide much documentation) we have a two > teer infrastructure with one root CA and two issuing CAs all running > Windows Server 2012. From what I’m seeing now, I should be able to > bring up another issuing server relatively easily in our DR site and > we should be good there, but the root CA isn’t that easy to make > resilient, and may not need to be resilient anyway. So question, is > this what people are doing to make ADCS resilient across multiple sites or is > there another approach to this? > > Thanks. > > Ryan > > > > Ryan Shugart > > LAN Administrator > > MiTek USA, MiTek Denver > > 314-851-7414 > > > > > MiTek Holdings, Inc., 2011-2014, All Rights Reserved > > ________________________________ > > This communication (including any attachments) contains information > which is confidential and may also be privileged. It is for the > exclusive use of the intended recipient(s). If you are not the > intended recipient(s), please note that any distribution, copying, or > use of this communication or the information in it is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately and then destroy any copies of it.
