Enterprise Root Ca's x 2?

From: Paul beyer (paulkbeyer_at_hotmail.com)
Date: 06/19/03 

Date: Thu, 19 Jun 2003 04:28:24 -0700

I have a AD Forest with two disjointed AD Domians being
onecompany.com and differentcorp.co.uk

Within this forest/two domains - I'm deploying a PKI to
serve web sites with SSL certs and users with Certs to
secure and sign email using Exchange Key management
services. I'm having to buy two different certs, one for
each site as they are completely different , BUT with
regard to installing MS CA, you have the four options.
Enterprise Root CA
Enterprise Sub CA
Stand Alone Root CA
Stand Alond Sub CA

I'm opting for the Enterprise versions as I have AD for
the CA's to integrate with - i think thats the right
decision so far ..
But you see I have two disjointed domains. And more to the
point we cannot have customers discovering we are
associated with each other by looking at the certificate
path. As by normal train's of thought I'd install the Root
CA in the forest Root Domain and then the Sub CA in the
other domain. Bu this would expose our asssociation if it
were to work and also would it work anyway seeing as the
second domain is not a direct sub domain of the root and
is disjointed?

I would assume by the current predicament that I would
install a second Enterprise Root CA? but by deifinition
and by instructions it seems that the root CA should only
exist once in the Forest seeing as it is AD linked and
upon install it says the Root CA should be installed
before all others in the enterprise. Doh ..

Now I'm stuck .. Can i install a second Root CA seeing as
the domains are disjointed ?
Or would I install a Stand Alone Root CA and forfeit all
the functionality that the Enterprise one offers?

Hope someone can help with this!

Best Regards

Paul Beyer

Relevant Pages

  • Re: AD design question
    ... The cases where you put in a root domain for the purposes of enterprise administration are very rare and specialised. ... I may be in the minority, but I have never seen the value of the empty root domain, except to solve political issues or for VARs and consultants to sell more hardware and server licenses. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enterprise Root Cas x 2?
    ... I seem to think that I now would not want to install Root ... >an enterprise subordinate CA in each domain. ... >> Stand Alond Sub CA ...
    (microsoft.public.win2000.security)
  • Re: Installing a Enterprise Root CA in a mixed mode environment
    ... Enterprise Root CA. ... Enterprise Admins group for the forest and local admin on the server you are ... Install a Windows 2003 PKI on a W2000 AD ...
    (microsoft.public.windows.server.active_directory)
  • Re: Installing a Enterprise Root CA in a mixed mode environment
    ... Enterprise Root CA. ... Enterprise Admins group for the forest and local admin on the server you are ... Install a Windows 2003 PKI on a W2000 AD ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enterprise Root Cas x 2?
    ... an enterprise subordinate CA in each domain. ... trusted in your forest equally. ... > Enterprise Root CA ... As by normal train's of thought I'd install the Root ...
    (microsoft.public.win2000.security)