Hi Everyone I have a 2003 AD environment (upgrading to 2008 R2 in a few months) and I now need to setup PKI with a Root CA (offline for security purposes) and an Enterprise CA. Can I set this up using 2008 R2 or do I need to do it in 2003 only? Can someone point me to some step by step directions? Thanks. - Andre

Hi, Thank you for your post here. The answer to whether you need Windows Server 2008 R2 ADCS or Windows Server 2003 Certificate Service is based on your requirement. Windows Sever 2008 ADCS will have features: Feature Benefit Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service Enables certificate enrollment over HTTP. Support for certificate enrollment across forests Enables certification authority (CA) consolidation in multiple-forest deployments. Improved support for high-volume CAs Reduced CA database sizes for some NAP deployments and other high-volume CAs. To create Windows Server based PKI infrastructure with an offline root Ca, please check: Checklist: Creating a certification hierarchy with an offline root certification authority http://technet.microsoft.com/en-us/library/cc737834(WS.10).aspx

Hi Miles Thanks for your response. I will be following the link you gave. I also recently got the MSPress PKI Resource Book for 2003. Using 2003 versus 2008 was not a matter of features (though that is very important) but rather a question of support: 2003 will be out the door soon in terms of support and so we are thinking of going straightaway to 2008 R2 PKI - this means hopefully that we have one less service to upgrade when we move to 2008 R2. Thanks again :-)