Gotcha.
On Tue, Nov 11, 2014 at 11:14 AM, Michael B. Smith
<[email protected]> wrote:
> Sorry. They issue certs from the root for LDAPS. There is no requirement for
> that, and I haven't investigated it in detail, but they believe it minimizes
> problems in bringing child domains online.
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> On Behalf Of Kurt Buff
> Sent: Tuesday, November 11, 2014 2:03 PM
> To: [email protected]
> Subject: Re: [NTSysADM] RE: making ADCS resilient
>
> Why when bringing up new DCs?
>
>
> I was under the impression that the root would only issue certs to the 2nd
> tier, and the secondary issue the necessary certs to DCs.
>
> Am I missing something?
>
> Kurt
>
> On Tue, Nov 11, 2014 at 10:54 AM, Michael B. Smith <[email protected]>
> wrote:
>> I advise my clients to only have the root server online when they are
>> bringing up new DCs or renewing certificates for the sub-authorities.
>>
>>
>>
>> They also bring it up once a month to patch and then create a
>> full-backup that goes over-the-wire to the DR site.
>>
>>
>>
>> From: [email protected]
>> [mailto:[email protected]]
>> On Behalf Of Ryan Shugart
>> Sent: Tuesday, November 11, 2014 1:35 PM
>> To: [email protected]
>> Subject: [NTSysADM] making ADCS resilient
>>
>>
>>
>> Hi all:
>>
>> I just got handed our ADCS infrastructure, and was told that
>> it needs to be made resilient. From what I can tell (the old admin
>> left the company and didn’t provide much documentation) we have a two
>> teer infrastructure with one root CA and two issuing CAs all running
>> Windows Server 2012. From what I’m seeing now, I should be able to
>> bring up another issuing server relatively easily in our DR site and
>> we should be good there, but the root CA isn’t that easy to make
>> resilient, and may not need to be resilient anyway. So question, is
>> this what people are doing to make ADCS resilient across multiple sites or
>> is there another approach to this?
>>
>> Thanks.
>>
>> Ryan
>>
>>
>>
>> Ryan Shugart
>>
>> LAN Administrator
>>
>> MiTek USA, MiTek Denver
>>
>> 314-851-7414
>>
>>
>>
>>
>> MiTek Holdings, Inc., 2011-2014, All Rights Reserved
>>
>> ________________________________
>>
>> This communication (including any attachments) contains information
>> which is confidential and may also be privileged. It is for the
>> exclusive use of the intended recipient(s). If you are not the
>> intended recipient(s), please note that any distribution, copying, or
>> use of this communication or the information in it is strictly
>> prohibited. If you have received this communication in error, please
>> notify the sender immediately and then destroy any copies of it.
>
>
