Best Practices for Certificate Authority

[Guest SmpIT]

Hello.

 

We are a small business (70-100 users) with two domain controllers both

running Server 2003. Going forward, we would like to use the new Network

Access Protection (NAP) to help with client security.

 

We know that installing a Certificate Authority on the domain is a necessary

first step in this process. Can anyone tell me if there is any reason NOT to

install the CA on one of our two domain controllers?

 

I know Microsoft best practices indicate that a CA should not be installed

on a DC "for security reasons," but I'm guessing that on balance, small shops

like us might not be as concerned about those potential security problems.

 

Also, it looks like it is necessary to run IIS on all CA servers, is that

correct?

 

Thanks much.

 

 

SMP IT