I hope I am not too redundant with other questions; I have read the other topics. I have an Ent Root CA running on a Windows Server 2003 X32 domain controller and an Ent Sub CA also running on a Windows Server 2003 x32 domain controller. From what I read, I think I want a Stand-alone Root CA running on a Windows Server 2008 R2 X64 VM and 2 Ent Sub issuing CA running on Windows Server 2008 R2. This would require a host name migration as well as a Ent root to Stand-alone Root migration. From what I have read so far I am not sure if starting over versus migration is the best choice. I can migrate the existing Ent Root to a Ent Root 2008R2 member server on a VM but can I (and do I want to) migrate it to a stand alone Root? I have already added 2 2008 R2 Domain Controllers which now hold all the roles and the certificate server move is all that remains before decommissioning the older 2003 Domain Controllers. My network is small 140 desktops and 13 servers. Most workstations run Win 7 X64 with a few XP workstations left. Most servers run Server 2008 R2 with a few 2003 servers left. We use Exchange 2007 with OWA. I want to add other server 2008 roles such DRM but want to resolve the certificate issues first. Thanks in advance for the help

yes, you can migrate Enterprise Root CA from Windows Server 2003 x86 to Standalone Root CA on Windows Server 2008 R2. However, this migration requires some non-trivial pre-post-migration configuration and have migration plan. I'd suggest to contact consulting company to perform such migration.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Vadims - thx for your post. Is that the best solution? I read through the process of moving an Ent Root CA from a 2003 x86 host to a 2008 R2 X64 host and it seems doable. Do I gain enough benefit by also making my root standalone?eburch@lasertel.com

> Is that the best solution If you don't completely understand how it works now and how it will work then. > I read through the process of moving an Ent Root CA from a 2003 x86 host to a 2008 R2 X64 host and it seems doable. it is not the same. > Do I gain enough benefit by also making my root standalone? My opinion is: do not change anything unless it is really necessary and you know/understand how to do it and what implications might be in place. If you plan to move root CA server, it is better to move it to a separate host and make it offline Standalone CA.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

The driving factor is the need to decommission the two Windows 2003 X86 Domain Controllers which are currently serving as Ent Root and Ent Sub Certificate servers. The current PKI structure works even if it isn't best practices. I changed hardware twice over the last 10 years and moved the DCs and certificate servers each time.eburch@lasertel.com

Try it.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

How will that affect my Enterprise Subordinate server - will it still be an Ent Sub after the migration? I am assuming if I just move the Ent Root from 2003 X86 to 2008 R2 x64 it would be but what if I migrate the Ent Root to a Standalone Root? BTW, Thx for the help. eburch@lasertel.com

Nothing is changed for subordinate CA, because you are dealing with root CA.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I was trying to get ready for the move and I realized my Ent Root and Ent Sub are both within a year of expiring. In addition, some of my 2008 servers and Windows 7 machines are not receiving new computer certificates but the XP ones are doing fine. I was digging around and I noticed that the default domain group policy object doesn't list the Ent Root as a trusted root authority; I that happened automatically when you installed the ent root in 2003? I installed the newly issued Ent Root and Ent Sub certs on a server to see if the expiration dates updated and they didn't - confusing. Is there a tool to validate the certificate services install? Thanks as always eburch@lasertel.com