Hey guys, we have a two tier CA hierarchy with an offline root and two issuing CA's - Direct Access works fine however we want to publish the DA computer certificate template to both issuing CA's to have some resiliency. When we do this and a client rightly picks up a computer certificate from the other CA server to where the DA server has issued it's certificate, we get an error and the ipsec tunnels fail. If we re-issue the certificate back from the first CA (the same as the DA server) all is fine and dandy.
Is it supported to publish Da computer templates to two separate CA issuing servers? Technet says this which suggest it isnt but surely there is a way to get better resiliency? Here is a quote from the technet link.
The client certificate and the server certificate should chain to the same root certificate. This root certificate must be selected in the DirectAccess configuration settings.
If we issued the DA computer certificate from the offline root, would it technically be chained if the client then issued from one of the sub issuing CA's? I haven't tried this, so thought I would ask. I've got a case open with Microsoft directly but am not getting very far with it.