I need to replace our Windows 2003 CA with a new server, different name. The current one was setup incorrectly with the wrong name and the CIO wants to know the feasibility of standing up a new one. Can I just stand up a new Enterprise Root CA in the current domain, let it issue certs and then start to revoke the old certs? What steps can I take here? The certs are only computer certs and a few web certs.

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1183829e-ca2f-40f2-9350-c4ec753830baMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thank you for that. "assign issuing templates to new CAs and remove them from old CAs. In this case clients will enroll for a certificates only from new CAs" I dont know what this means. Can you be more specific?

Open Certification Authority MMC snap-in (on old CA server) and expand Certificate Templates. You will see certificate templates that are supported by this CA. You will need to add the same template list on a new CA server. Right-click on Certificate Templates node, select All Tasks -> New -> Certificate template to issue. In the opened dialog box select all required templates and click Add.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com