Overview of CA Clustering

Applies To: Windows Server 2008

Failover clustering in Windows Server® 2008 provides an enhanced level of reliability for critical systems and services, including Active Directory® Certificate Services (AD CS).

With Windows Server 2003 and earlier versions, organizations had to deploy multiple certification authorities (CAs) to provide redundancy in case a critical network server failed. You can still have multiple CAs operating in your Active Directory forest, but with failover clustering there is no need to deploy more than one CA to protect AD CS from unexpected failure.

This white paper explains the detailed steps that are required to set up failover clustering with Windows Server 2008 and to run AD CS on shared storage with a network hardware security module (HSM).

Supported Scenarios

The following versions of Windows support the use of clustering for AD CS:

• Windows Server 2008 Enterprise

• Windows Server 2008 Datacenter

The following are considerations for running AD CS in a clustered environment:

• Clustering is supported for the AD CS service only. Clustering is not supported for other AD CS role services, including the Online Responder service or the Network Device Enrollment Service.

• AD CS can only be configured to use a two-node cluster.

• The cluster must be configured as an active/passive cluster. This means the AD CS service is only active on one node at a time. If the active node becomes unavailable, the second node becomes active and the AD CS service resumes functioning on the second node. Windows Server 2008 does not support an active/active cluster configuration for AD CS.

• Shared storage is required. To store the CA database and the log database for the CA, a shared storage location must be available to both cluster nodes that form the cluster.