Excerpt from the book about enterprise root CA's:
If you choose single-tier CA hierarchy deployment model (meaning one CA),
ensure that you deploy single enterprise root. Do not start deploying
enterprise root CA's for each application that requires certificates.
Deploying CA's in this manner typically leads to failed PKI deployments.
There is also an older KB article http://support.microsoft.com/kb/298138
"How to move a certification authority to another server",
but this info is for Win 2000 and 2003
"Dusko Savatovic" <savatovic@newsgroup> wrote in message
> I can recommend a book
> Windows Server 2008 PKI and Certificate Security by Brian Komar, MSPress.
> Chapter 7: Upgrading your existing Microsoft PKI.
> But the whole book is a great reference for PKI planning, deployment and
> Good luck
> "Zachary" <zdundore@newsgroup> wrote in message
>> Thanks for the advice, I will follow that but I still have one question,
>> can I have two servers acting as the Enterprise Root CA's in the same
>> I would like to run both the server 2008 and the server 2000 CA's side by
>> side till all the certs expire on the 2000 machine and get new certs from
>> the 2008 machine.
>> "Dusko Savatovic" <savatovic@newsgroup> wrote in message
>>> 1. Use Win 2008. Certificate services are greatly improved in Win 20078
>>> and later. OCSP is one improvement.
>>> 2. Use it on a member server. Best paractice recommends using offline
>>> root CA's. If such CA is on a DC, the DC would have problems maintaining
>>> synch with other DC's.
>>> "Zachary" <zdundore@newsgroup> wrote in message
>>>> I have an old Windows 2000 Server that is a domain controller. I want
>>>> to demote this server and rebuild it to be an archiving location. The
>>>> only piece of software that I need to move off of it yet is the CA.
>>>> Other than that it is just operating as a backup DC. I have many
>>>> options on where to move it to, I was just wondering what would be the
>>>> best choice. We have two other Win2000 servers, three Win2003 servers,
>>>> and one Win2008 server. Which one would be recommended? Also, would it
>>>> be wise to move the CA to another DC or would it be better to move it
>>>> to a member server instead?