Site Design and Certificate Authority

Davoud Teimouri 146 Reputation points
2020-08-30T18:50:47.967+00:00

Hi all,

We have three sites in different Geo-locations. We have plan to create three active directory sites and there is a confusion. Can we deploy subordinate Enterprise CA for each site?

BR

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,652 questions
{count} votes

Accepted answer
  1. Fan Fan 15,341 Reputation points Microsoft Vendor
    2020-08-31T02:28:38.18+00:00

    Hi,
    In organizations with large numbers of users, it is prudent to deploy an offline standalone root CA and then use enterprise subordinate CAs for the certificate deployment and management.
    Normally speaking,the auto enrollment configuration is not based on active directory topology.
    A user from site A can receive automatically a certificate from CA in site B, if he has auto enrollment permission on a certificate template in CA on site B .
    If you want deny the user from site A to receive certificate from CA in Site B , you have to deny auto enrollment permission in all template in CA in site B.

    AD DS site awareness can be used to help optimize certificate services client requests. This functionality is not enabled by default the certification authority (CA).
    So if we have multiple CAs in various sites, the certificate template name in these CAs is the same and the same users or computers have the same permissions for theses certificate templates, the users or computers will select one CA depending on site costs if all CAs are avaiable, they will select a CA with low site costs.
    To enable certificate services site awareness, the msPKI-Site-Name attribute must be populated for the certification authority (CA) object in the Enrollment Services container of Active Directory Domain Services (AD DS). The Enrollment Services container is in the Configuration container of AD DS under CN=Public Key Services, CN=Services,CN=Configuration,DC=<domainDistinguishedNamingContext>. For example, the following figure shows a CA named CPANDL-ECA1 has an msPKI-Site-Name attribute value of Main.
    For more details , you can refer to the following link:
    https://social.technet.microsoft.com/wiki/contents/articles/14106.ad-ds-site-awareness-for-ad-cs-and-pki-clients.aspx
    Best Regards,

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.