While it is supported to do that, its against best practices to install the CA role on a domain controller for the following reasons:

1- If you are to decommission that Domain Controller, you will have to go through the procedure of moving the CA from it first before decommissioning.

2- If you are to upgrade the version of the CA , this will require the upgrade of the OS of that domain controller, and that will require a decommission for this to take place.

3- In an Event of failure on that specific DC for any reason, restoration of the full functionality of DC and CA will be lengthy, Which could affect certification validity due to downtime.

4- Administration of certain CA functions require local administrator, and this becomes an issue on a Domain Controller.

5- If you have to publish your CRLs externally, that DC will be internet facing and this poses a very big security risk.

 

You might wanna take a look at these posts below that discusses the same:

1- This link to verify local admin privileges needed. Refer to Roles and Activities http://technet.microsoft.com/en-us/library/cc732590.aspx

2- Please go through these posts for additional reasons on why not to have it on a dc, please see Sander’s reply

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042

http://www.networksteve.com/forum/topic.php/Remove_Certification_Authority_from_old_(in_use)_domain_controll/?TopicId=1969&Posts=9

Advertisements