Exchange server is also a Certificate Authority. Anyway to separate them?
Hi everyone,
I just wanted to ask some question regarding the exchange. I just started administering a network and found something strange.
Well basically we have an exchange server 2003 hosted on windows 2003 that is also acting as a CA. Is this good practise to have a CA and exchange hosted on the same server?
Also on the network there is a DC that is acting as a separate CA and both have totally different certificates. Is there a way to combine them on a single server?
Thanks in advance.
April 20th, 2011 6:14am
On Wed, 20 Apr 2011 10:08:54 +0000, YPadmin wrote:
>I just wanted to ask some question regarding the exchange. I just started administering a network and found something strange.
>
>Well basically we have an exchange server 2003 hosted on windows 2003 that is also acting as a CA. Is this good practise to have a CA and exchange hosted on the same server?
If you onlyhave one server then it's what you have to do. But putting
a CA on a shared machine isn't the best idea. Running it in a VM would
be acceptable.
>Also on the network there is a DC that is acting as a separate CA and both have totally different certificates. Is there a way to combine them on a single server?
Not that I know of. You can reissue certificates from one of them and
remove it. You should be asking this question in the O/S forums,
though.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2011 9:51pm
Personally, I wouldn't put a CA on either an Exchange Server or a DC. It complicates (amongst other things) recovery, maintenance and upgrades.
As Rich suggests, consider virtualising machines to assist with role separation.Tony
April 20th, 2011 10:14pm
Thank you both for the replies.
I will ask in the O\S forums as suggested. However I have a questions regarding Exchange and the CA on it. I have noticed that in the CA on it, it has a certificate for one of the DC's but not the other. When we turn of this particular DC we loose connection
to the exchange even though the other DC is still online. Is this because it doesn't have the certificate of the other DC?
Thanks in advance.
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2011 3:49am
On Thu, 21 Apr 2011 07:43:41 +0000, YPadmin wrote:
>
>
>Thank you both for the replies.
>
>I will ask in the O\S forums as suggested. However I have a questions regarding Exchange and the CA on it. I have noticed that in the CA on it, it has a certificate for one of the DC's but not the other. When we turn of this particular DC we loose connection
to the exchange even though the other DC is still online. Is this because it doesn't have the certificate of the other DC?
What does "lose the connection" mean? If you have two DCs and you shut
down the one that Exchange is using, it takes a while for Exchange to
discover the problem and switch to the other DC. If you restart the
system attendant service it should perform a topology discovery and
switch to the active DC.
It's quite possible that your Exchange server doesn't have the CA's
root certificate in its local certificate store as a "trusted root
certificate". That's easy enough to remedy, though.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
April 21st, 2011 8:52pm