Hello, We have two AD servers and neither of them are running as a Certificate Authority Server. Originally we had a third server which seems to of had this service running but that died over a year ago. One of the existing AD servers has an expired certificate but the other servers certificate is still valid. I want to install the Certification Authority role on the existing AD server with the valid certificate but I don't know what options to take when setting up the Role. I assume Enterprise and Root CA but then it asks to create a new private key or use existing key. I have tried to export the existing valid server certificate to get the private key but it refuses to export it. I am concerned that if I go ahead and install the role using a new private key our existing servers will stop working or be forced of the AD. Can someone please help? The two server are running Windows Server 2008 R2 and the domain functional level is Windows Server 2008 (as we have some 2008 servers). My main concern is the Exchange 2007 Server , I really don't want to stuff that up. thanks for any help

Your proposed configuration is not a best practice. You should check out the following article: http://social.technet.microsoft.com/wiki/contents/articles/2901.pki-design-guidance.aspx That said, if you install a new Enterprise Root CA with a new key pair, it should work. The DCs should automatically pull their new certificates. I am not sure about the Exchange Server probably best to ask in an Exchange forum. I "think" the Exchange server creates it's own certificate.