Re: PKI Certificate Server Install in AD Empty Root Domain

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 07/22/05 

Date: Fri, 22 Jul 2005 07:02:29 -0500

In article <1121971277.827762.326290@g44g2000cwa.googlegroups.com>,
kerberos_boy@yahoo.com says...
> >From Microsoft Technet document "Windows Server 2003 PKI Operations
> Guide":
>
> "Best Practice:
> The recommended best practice is to install CAs as a member of the root
> domain in the forest to provide centralized administration and control
> of the PKI services. For additional best practices, see the Windows
> Server 2003 Resource Kit."
>
> Please see this link:
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>
> HTH,
>
> Kerberos_Boy
>
<snip>
Although in an MS paper, this I have found is an over-simplification.
Other factors can lead a company to placing the enterprise CA in a
domain other than the forest root domain.
- GPO deployment - If the GPO design is not well developed in the root
domain (the empty root model), then it may be better from a security
perspective to place the CA computer account in a non-root domain

- Security policies for computer account placement in the root domain.
Some organizations have policies that only root domain DCs will exist in
the forest root domain. All application servers, including CAs must be
in a child domain.

To be honest, it really does not matter. Both solutions (forest root or
not) can be secured.

Brian 

-- 
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian

Relevant Pages

  • Re: Root DC needed in Test Environment
    ... Schema since it isn't the root of the forest, but you shouldn't need to have ... MVP - Directory Services ... I have an article on building a test lab from a production lab, ... We have a root domain and 3 sub domains in our forest. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory - security boundaries
    ... It doesn't actually make sense that the forest is the ONLY ... administrators in the internal domain (which is the forest root) will ... wouldn't be able to grant themselves access to resources in the other ... administrators of the standard domain can't grant themselves access to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Transfer forest root role to another DC?
    ... There is no forest/domain root DC in your case. ... Make sure the second DC is also Global catalog server and DNS server ... In your case i would install a 3rd DC/GC/DNS as VM before demoting the older one, so you have still 2 DCs before you remove the old one. ... Physical server which is forest and domain root dc ...
    (microsoft.public.windows.server.active_directory)
  • Re: Transfer forest root role to another DC?
    ... There is no forest/domain root DC in your case. ... Make sure the second DC is also Global catalog server and DNS server ... In your case i would install a 3rd DC/GC/DNS as VM before demoting the older one, so you have still 2 DCs before you remove the old one. ... Physical server which is forest and domain root dc ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD 2003 - Empty root or Not!
    ... The main problem imho is that anyone in the domain administrators group (in ... the forest root domain) can elevation their privelegs and add themselves to ... the enterprise admins and schema admins groups. ... You can eliminate this risk by having a dedicated empty root domain. ...
    (microsoft.public.win2000.active_directory)