What happen if a Windows server CA lost his trust relationship with DC?

Question

What happen if a Windows server with CA role lost his trust relationship with DC?
The server is still up but I'm just curious what is the impact because I heard it can be installed on a stand alone server too.

Source link:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/bd15b214-087f-466a-b0fc-45a42633fda7/what-happen-if-a-windows-server-ca-lost-his-trust-relationship-with-dc?forum=winserverManagement

Answer 1

Hello,

Thank you so much for your feedback.

As Dave mentioned, the CA server should be on a member server in a domain environment. Usually there will be Single Tier PKI Hierarchy Deployment and Two Tier PKI Hierarchy Deployment.

There are four computers involved in this single-tier PKI hierarchy as shown below. The CA server is on a member server.

There are five computers involved in this two-tier PKI hierarchy lab as shown below.

In this two-tier PKI hierarchy, Standalone Offline Root CA will be configured. The standalone offline root CA should not be installed in the domain, so it is on a stand alone server.

We are wondering whether you have any doubt about standalone offline root CA. For more information, please refer to:

ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

Hope the information is helpful. For any question, please feel free to contact us.