Hi I would like to upgrade my two windows enterprise 2003 CA servers to Windows 2008 R2 services. I would not be able to upgrade the domain controllers, Exchange or Active directory servers which are currently running on Windows 2003 version. I would like to know can I simply join couple of 2008 R2 servers, join them in the current domain and install Certificate services. I would like to know the impacts on the current Active Directory (there are some legacy systems using the 2003 version) and other systems. I guess 2008 R2 certificate services has some additional certificate templates and roles, so there should be some updates to the active directory. Thanks in advance. Sanurajan

Hi Lawrence & Vadims Thanks for your response. Below is my understanding from your responses. Joining new 2008 R2 servers as members of the current 2003 domain would not have any impact, however these new servers will not be able to use any new certificate templates and features of 2008 R2 version because the Active Directory Services needs to be updated. I would not be able to upgrade the domain controllers and current active directory services as there are many known legacy applications rely on the current schema and many unknown entities may be still using the directory. Hence may be I can opt for a strategic approach, where I first upgrade the current 2003 CA servers to 2008 R2 CA servers as just a member services and use the available features from 2003 active directory. Later down the line I can upgrade the domain controllers and active directory to 2008 R2 version. Will the 2008 R2 CA servers be able to use the additional features and certificate templates without being modified or do I need to re-install the CA services? Thanks in advance. Sanurajan.

> And I think its no need to update your forest schema for these two 2008 R2 member servers. Thats needed if you want to introduce 2008 R2 domain controller. Lawrence, you are incorrect here. Schema upgrade is required if you wish to utilize new ADCS functionality. > then you can get all new features of 2008 R2 Active Directory also new features of Certificate Services. and you are wrong here too. Domain controller version is not related here. > however these new servers will not be able to use any new certificate templates and features of 2008 R2 version because the Active Directory Services needs to be updated no. you can use new features without upgrading domain controllers, just need to upgrade schema.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims Thanks for the clarification. When you say upgrading the schema - Does it modify or remove the existing objects and their structure (hierarchy)? I would imagine it would just add additional objects. The reason for being paranoid is I have no idea about those systems and applications which uses the current 2003 Active Directory. Hence I want to be absolutely sure that upgrading the schema would not affect their current functionality. Please confirm. Cheers Sanurajan.

AD schema is designed in that way so it is impossible to delete any object classes and attributes. Generally, schema upgrade means new attribute and class addition. since nothing is removed from the schema, existing applications are not affected.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims Thanks for your reply. One last question -> Will schema upgrade happen automatically when I install the certificate services in Windows 2008 R2 servers or should I do independently before I install the certificate servers? Or is there any existing document to take me through this scenario. Thanks in advance. Sanurajan