Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Implement PKI before or after domain upgrade?

Status
Not open for further replies.

zephyran

Technical User
Nov 30, 2001
311
US
We have an AD domain with only Win2k domain controllers (Native Mode). I'm looking to implement PKI for our staff websites (OWA and an Intranet) and for WPA, but I'm also thinking about upgrading the domain to contain at least one Win2k3 DC. I could start PKI immediately, but the domain upgrade may take more time.

If I install an Enterprise Certificate Authority before the domain upgrade, will it work properly when the domain is upgraded (even if the CA is still on a Win2k server)? Or, would I be better off waiting until after getting a Win2k3 DC or two first, and then installing the Enterprise CA on one of them?
 
I would wait until you at least install a Windows 2003 DC. Once the schema is extended you get the chance of using version 2 certificates. I would also recommend installing your CA on a 2003 machine.
 
Also note that version two certificates can only be issued by CAs running 2003 Enterprise or Datacenter.
 
If I were to implement PKI while the domain is still on 2000, or if I start it with 2003 Standard domain controllers, will I be easily able to upgrade to version 2 certificates later on?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top