We are in the middle of planning a migration from Server 2003 to Server 2008 AD. In a lab, we have migrated a root CA to 2008 and also migrated a subordinate CA to 2008. As part of planning I have performed a roll back to 2003. After the rollback, the clients requesting certificates get it directly from the root instead of the subordinate CA. We can still get the subordinate to issue a cert but have to request it manually and choose the “advanced” settings to be given a choice of which CA to request from. Why is the sub CA not the default choice for the client? What changed in the AD to set the root CA as the first choice for issuing certificates? Thank you for your help.

Hello, for CA related questions better ask in: http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.