Hi Guys,
I have a customer who has a Windows Server 2003 Certificate Authority. There is a root server and one issuing server. Both run Windows Server 2003 Standard Edition
I want to put in a more secure and scalable PKI Infrastructure. They want to primarily use the CA for Computer Certificates for a wireless network. Looking on their system today, they also have EFS, Domain Controller, IPSEC and Web Certs (Lync and Exchange).
My planned implementation is to have Windows Server 2008 R2 Datacenter (as they are licensed for it) implemented in the following fashion:
RootCA (Standalone, 10 Years, 2048 key, Offline)
Issuing01 (Enterprise, 5 Years, 1024 Key, Online, CRL) - For User Certs
Issuing02 (Enterprise, 5 Years, 1024 Key, Online, CRL) - For Computer Certs
How would I go about going from the Windows Server 2003 Hierarchy to the new hierarchy? I assume I would backup and restore somehow but my current Root CA is Enterprise and Online. I want the new Root CA to be standalone and offline. Also I assume I would
need to keep the server names the same?
Any help would be appreciated!

Need to support users over the internet? click here try our remote control online beta

It seems like you want to replace an existing PKI with a new PKI in the same domain. if so, you might find these two articles of assistance:

http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx


http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

I think you can safely go for a root certificate validity period of 20 years and an issuing certificate validity period of 10 years or more, but it depends on the policies for the PKI. The key length for the issuing CAs could also probably be 2048, again
unless there are specific policy reasons why a 2048 bit key length cannot be used.
Steve G

There is an amazing pack of free network admin tools. click here to download it

Thanks for that I was going to go with the below procedure: What do you think?

Backup current Windows Server 2003 PKI Infrastructure.Analyse current Windows Server 2003 PKI Infrastructure and document current certificate uses. (Include a list of
Certificates that can be revoked)Install 3 x Windows Server 2008 R2 SP1 Datacentre Edition onto existing Virtual Infrastructure with all Operating System patchesConfigure new Root CA Server with Active Directory Certificate Services in Standalone modeConfigure new Root CA with a Certificate Key length of 4096 and validity of 20 yearsExport Trusted Root Certificate for Enterprise Servers and Clients to useImport Trusted Root Certificate onto new Issuing Certificate ServersConfigure 2 x new Issuing Certificate Servers in Enterprise ModeConfigure new Issuing CAs with a Certificate Key length of 2048 and validity of 10 yearsDisable AutoEnrollment on Issuing CAsCreate new AIA and CDP Distribution points for new PKI.Remove Certificate Templates from Windows Server 2003Stop and Disable Certificate Services on Root and Issuing CA Servers in the existing Windows Server 2003 environment.Enable AutoEnrollment on Windows Server 2008 Issuing CAsRe-enrol certificate holders for templates (This will reissue automatically enrolled certificates)
Manually update existing certificates that were manually requested (eg Exchange, Lync and OCS)Configure Certificate Revocation Lists on Issuing Servers

Need to support users over the internet? click here try our remote control online beta

Would that work guys? :-)

There is an amazing pack of free network admin tools. click here to download it

If you follow the instructions in the second article, you should be fine. However, I would recommend gaining some experience with the process by running through it in a lab. I see you have specified a 4096 bit key length for the root CA. Make sure
that everything you plan to issue a certificate to can handle a 4096 bit key. There are some instances of older equipment, a Cisco VPN 3000 for example, that cannot handle a 4096 bit key length.
Steve G

There is an amazing pack of free network admin tools. click here to download it