WS2003 Functional-Level domain with 5 AD sites, each with a WS2003
DC/File/Print server. Sites are fully connected by RRAS L2TP/IPSec VPN.
Existing PKI is Enterprise Root CA at main office, currently on WS2003 R2
SP2 SE, with an Enterprise Sub CA at each branch office.
The expectation was that if a cert expired on an RRAS server leaving the VPN
link down, the RRAS box could renew its cert from a CA on its LAN. But what
has actually happened in real life, when the VPN link is down for any
reason, the CA service on the local DC won't even start, much less issue a
cert, because the CA can't check the CRL to see if its own Sub CA cert is
valid.
Enterprise CRL's are automatically published to AD, right? Each site has a
DC, and (not letting best practices get in our way, here) the CA is
installed on the DC, so AD availability should not be a problem.
Evidently there's a gap in this design somewhere...what do I need to do to
make sure each site has a CA available when the VPN link is down? Or is that
simply not possible?
Thanks!
--
Jeff Vandervoort
JRVsystems
http://www.jrvsystems.com
Similar Threads
Linear Mode
