Planning on installing two-tier PKI with 2 issuing CA's to ensure that if 1 issuing CA is down the other issuing CA will still be available. Question - if both issuing CA's have the same certificate template deployed, is there a priority for enroll/auto enroll? How do clients decide which CA to use? Thank you, Paul

This depends on a protocol used for enrollment. For pre-Windows Server 2008 R2 systems CA instances are processed in an arbitrary order (as they are retrieved from AD). For Windows Server 2008 R2 and Windows 7 it is possible to assign two or more policy servers that will be used by autoenrollment. In this case policy identifiers are sorted as follows: a) sort policies in asceding order based on Cost value (HKLM\Software\Policies\Cryptography\PolicyServers\{PolicyID}\Cost b) if two or more instances have the same Cost value the following rules apply: c) sort those that uses Kerberos authentication d) sort those that uses Anonymous authentication (though, not supported) e) the rest instances follow in an arbitraty order. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com