Question : Microsoft PKI Design

Deploying a new AD Forest for a company. They have about 700 users, 300 or so are road warriors, 250 in a main facility and the remainder in (well connected) branch offices.

The plan is a 2008 R2 Forrest and a single domain ( A Stand-Alone, root CA on 2k8 R2 Std will be created and taken off-line when the issuing CAs are up. I plan to have Enterprise CAs (2k8 R2 Ent) as the issuing CAs so I can use the templates and the auto enrolment for all the typical "stuff".

What I would like to do and am not sure I can is to use a different "DNS domain" for the certificates since the AD domain will be, and not available "outside", but I need the road warriors to be able to auto renew, check the CRL and all that, so I need a DNS path for them to follow. I'm perfectly fine with and prepared for having an internal DNS zone so internal users find the CAs as well.

I'm afraid I'll need two "domains" for CAs, the Enterprise CAs on and another "stand-alone" on


Answer : Microsoft PKI Design

Random Solutions  
programming4us programming4us