I am working on a project to upgrade / migrate my 2008 R2 CA to 2012. I have a Enterprise Root CA and a Subordinate CA. I am following the standard migration plan of standing up 2 new servers and backing up the CA, removing the ADCS role, demote server, change server to workgroup, then on new server change host name to source CA, join domain, install ADCS, restore CA.
The question is which CA do I do first the Root CA or the Subordinate CA, or does it matter since they will have the same host names as before?
- Moved by Santosh BhandarkarMVP, Moderator Monday, October 14, 2013 10:00 AM Moved from Server General Forum
Based on my research, a root CA certificate is the first AD CS role service which has been installed generally. After a root CA has been installed, one or more subordinate CAs can be installed to implement policy restrictions.
In addition, If the root CA is an offline standalone root CA and you are migrating an offline standalone subordinate CA, the root CA certificate and current root CRL are required for the subordinate CA to function.
For more detailed information about AD CS migration, please refer to the link below:
Active Directory Certificate Services Migration Guide
- Proposed as answer by Susie LongMicrosoft contingent staff, Moderator Monday, October 21, 2013 2:19 AM
I have not gotten an answer yet. The technet article does not have any information about what to do with a root and subordinate. I will be doing the root first in the coming weekend, migrating both servers during the same window. I would like to assume that a windows 2012 root ca will work with a 2008 r2 subordinate. These are Active Directory Enterprise certificate authority servers.