Hi All
I have a scenario where a Windows 2008 R2 domain spans two disparate sites, over a WAN. I need my domain controllers to talk secure i.e. port 636. This involves me placing a certificate in the "Active Directory Domain Services" service> Personal certificates folder (NTDS/Personal), on each Domain Controller.
I have two Enterprise Certification Authorities in my domain, one at each site, for redundancy. (I can not cluster a single CA across sites as per Microsoft's recommendation)
My question is this:
I can install a certificate from each subordinate enterprise CA into the Domain Controllers store, (so there are two). Should one CA fail, will my domain controllers continue to talk secure?
I am aware that the Revocation List is stored in AD so the certificate will remain valid for a period of time. What would happen if this period expires? Will the Domain Controller automatically use the certificate from the other CA? or will it all go wrong?
This is a very hard thing to test, so any advice would be gratefully received.
Thanks