Hello ITPro.TV! I am going through the AD CS section of the 70-242 exam course and had a question regarding enterprise root vs stand-alone CAs.
First, my understanding of the two is that stand-alone CAs are not domain joined and consequently cannot be used for auto-enrollment process via GPO. Whether you are using stand-alone CAs or Enterprise CAs, it is typically accepted as a best security practice to keep the root CA "offline".
This brings up a flurry of questions from me.... Hopefully They are quick and easy to answer.
If you keep your enterprise root CA offline, what about domain "trust" issues when the SID of the computer object tombstones while the server is offline for an extended period of time?
Windows updates? How are you supposed to apply Windows updates to an offline root CA? Let's say your environments patching policy is such that patches must be applied within 30-days of release.
Can you have enterprise subordinate CAs that use a stand-alone (non domain joined) root CA? That way you don't have to deal with domain integration on the root, but can still use auto-enrollment features?
When (if ever) is it acceptable to use an enterprise root CA that stays online at all times?