Our current CA is on a DC running server 2003 SP2. I am going over the AD CS upgrade and migration guide in order to get as good an understanding of this process as possible. The question I have right now is Does the CA have to be installed on a DC?

Hello, personally I recommend running it on a member server. I don't recommend running roles other than AD/DNS/DHCP on a DC. For upgrade and migration: http://technet.microsoft.com/en-us/library/cc742479(WS.10).aspx More information if you ask here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator

Yes it can. I also suggest to implement subordinate CA in addition and not everything relying on your root CA. The safest would be having a subordinate CA and switch off line the root ca. Please follow the Microsoft's best practises on the link below and you won't be wrong: http://technet.microsoft.com/en-us/library/cc738786(WS.10).aspx Vincenzo MCTS, MCTIP Server 2008 | MCTS Exchange 2010 | WatchGuard Firewall Security Professional

Hello, a CA should never be installed on a DC, DCs are changing very often and a CA normally not. Also in a crash from AD you run into trouble as restoring may result in problems with the CA afterwards.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.