very nice presentation and good DFS implementation
I encountered the need as well because of RBAC and external trusts.
I developped as well a powershell function but based on a BFS and set parameters to take into account the scope search forest, domain, domain trusts forest trusts or explicit domains. I used the.net classes so no need for the RSAT and activedirectory module. I shared the function on my github for anyone who might have some interest as well
https://github.com/criffo/getADObjectMEmberOfCustom
What you are experiencing is expected behavior. CA publishes files one by one and if URL is failing, next will be attempted only after first URL is completed (either, published or failed).
Actually, DFS is the correct solution since it was intended to perform this task -> abstract clients from actual storage. What is behing DFS is completely irrelevant for clients.
Hi Vadims, do you have any experience in delays which occur when (delta) CRLs are published to two file locations (e.g. \\server1\... and \\server2\..) and one location is not available?
We find that the CRL is created in time, but not written to any location (LDAP, file, not even c:\system32\certenroll) until the attempt to the one file location times out (10 minutes, seems hardcoded).
This is because we have 2 OCSP responders behind an NLB and we didn't want to have any scheduled task or so to copy one file around (timing issues). Now we found this behaviour when one server went offline.
So publishing to a highly available storage location (e.g. netapp filer cluster) with a DFS share seems the only solution (we don't want to bother with Windows Server cluster and cluster shared volumes). Or do you see any other way to overcome such single failure of a file:// CDP location?
CRLOverlapPeriodUnits should be CRLOverlapUnits
I have always been a fan of your articles, because they are easy to follow, technically accurate and contain real life examples. Today I learned about how CCE works. Thanks again Vadims!