Hello, I need some advice to know if the following is achievable? We already have an existing PKI infrastructure - an Enterprise Root CA was created on a 2003 DC approximately 4 years ago. Recently we have started the migration to 2008r2 AD - as the existing Root CA is due to expire in 12 months and the hardware should also be decommissioned it seems like a good time to move to a new Enterprise Root CA on a 2008r2 server. My question is; can both these Enterprise Root CA's be run side by side? We have a single domain / forest - nothing complicated. Would I be correct in assuming when the new 2008 Enterprise Root CA comes on line its Root CA cert would be automatically published / installed to domain joined computers along side the existing 2003 Trusted Root CA cert? With both Enterprise Root CA's operational we could then start to migrate or issue new certs from the new CA and slowly decommission the old CA over a number of months? One additional question - is there something written to the AD configuration somewhere that indicates to clients which is the primary Enterprise Root CA to use when requesting new certificates? Regards Mark

if you wish to deploy *new* PKI, it is possible to maintain several PKIs within single AD forest. When new PKI is deployed, configure necessary template to issue on new CA server and remove all templates from old CA server. This will ensure that clients will send certificate requests to new CA server.http://en-us.sysadmins.lv

Thanks, We don't use any custom templates on the old 2003 CA so I assume it is safe to delete the standard templates (Web Server, Computer, Domain Controller etc) from the old once the new is live? Mark

yes. Just remove these templates from old CA and add them to new CA server.http://en-us.sysadmins.lv