Capacity Planning for NAP CAs
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The NAP CA provides health certificates to HRA when they are requested on behalf of NAP client computers. A NAP CA is required only if you deploy NAP with IPsec enforcement. The number of certificate requests received by a NAP CA and its ability to process these requests depends on the configuration of HRA, the type of NAP CA you use, and the available hardware resources.
When you install the HRA role service, you can choose a single NAP CA to associate with HRA or you can choose a NAP CA later using the HRA snap-in. To associate more than one NAP CA with the HRA, you must use the HRA configuration snap-in. When multiple NAP CAs are associated with an HRA, the HRA will request health certificates only from the NAP CA that is configured first in its processing order, unless this CA fails to respond. If a NAP CA does not respond, the HRA server will request a health certificate from the next CA in the list until it acquires a certificate or reaches the end of the list.
Load balancing of NAP CAs occurs when you configure different HRA servers with different primary and secondary NAP CAs. See the following diagram.
Load balancing of NAP CA servers
A dedicated NAP CA that meets recommended hardware requirements can typically support a higher volume of certificate requests than the associated HRA. Therefore, when you use a dedicated HRA with a dedicated NAP CA that both meet hardware recommendations for processor and disk speed, the number of client requests that can be processed is usually not limited by the performance of the NAP CA.
In addition to things that affect the frequency of certificate requests, such as the health certificate validity period, the following factors influence the number of NAP client computers that can be supported by a NAP CA:
Server roles. In its recommended configuration, the NAP CA is dedicated to issuing NAP health certificates only. Performance can be degraded if the NAP CA issues other types of certificates or performs other functions.
CA type. A standalone CA supports fewer features than an enterprise CA. Therefore, it can perform at a slightly higher capacity in a high certificate volume environment.
The primary limiting factor to the performance of a NAP CA is disk speed. For more information about hardware requirements for the NAP CA, see Appendix A: NAP Requirements.