Dear All Currently we have a single forest/single 2008 R2 domain. Someone in the haste installed an Enterprise Root CA on the first DC in the domain and issued certs from it etc. With the introduction of Exchange 2010, Lync 2010 and Sharepoint 2010, it is thought that a better PKI design is required. The favoured design is a standalone offline root CA with an enterprise subordiate issuing CA. What will be the best way to go from what we currently have to what we desire? Can the current enterprise root CA be 'changed' into a subordinate of the new standalone offline root CA? Can we just scape the current PKI (eg. remove AD CS from the domain controller) and start again properly? what impact would that have on the small number of issed certs and the directory as a whole? Thanks for reading Dirk

it is possible to move existing Enterprise Root CA to a offline Standalone Root CA and build new subordinate CA under existing root. In this case only custom registry settings should be moved to root CA server. Also you will have to revisit root CA's CDP and AIA extensions (file publishing URLs). There is no way to convert root CA to subordinate. Root CA can be migrated to a Root CA. As another way you can completely decomission existing PKI and start new one from scratch.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Many thanks for you reply Vadims I think i'm favouring the decommission/creating a new PKI, it seems like it might be a bit cleaner. is the decommissioning process an easy one? is it a matter of remove AD CS and running something like http://poweradmin.se/blog/2010/11/13/cadct-ca-decommission-tool/ ? once the works done i suppose its just a matter of issuing new certs from the new PKI to the few servers that have certs from the current PKI?? I know my manager will ask so i might as well, "Will such work have a direct impact on our AD?" Many thanks again DirkDirk Burger

> is the decommissioning process an easy one? yes, here is a how-to guide: http://support.microsoft.com/kb/889250 > is it a matter of remove AD CS and running something like http://poweradmin.se/blog/2010/11/13/cadct-ca-decommission-tool/ ? I'm not aware about 3rd party tool. You can use them on your own risk, but I would advice to do it manually. > I know my manager will ask so i might as well, "Will such work have a direct impact on our AD?" this depends from how current certificates are used. For example if certificates are used for EFS, there should not be issues. If certificates are used for authentication — these authentication services will not work.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thanks for the clarification. I had managed to find that KB but was a bit worried that it was for server 2000 and 2003, i wondered if it might be different for 2008 R2. Well i've got a couple of days over the weekend to build up the courage to carry out the work on Monday! Thanks for your knowledge all the best Dirk PS. Your powershell PKI module looks pretty cool! Dirk Burger

This is the most current article for CA decomission process.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com