<div>
PKI is too complicated for a 'quick answer' in a guide that applies to your situation exactly. &nbsp;If you like I can try to help give you some direction. 
 
Are you looking to keep the existing server around as the root of the new PKI, or remove that and start over properly? 
 
Are you planning to upgrade from 2003 to 2008? &nbsp;Or just have the new one as 2008 for the online subordinate CA? &nbsp;Standard edition or Enterprise edition? 
 
If you're keeping the existing CA, was it installed as standalone or enterprise? 
 
Was the Active Directory Certificate Services - installation guide (AD CS == 2008) 
 
Are there any unique requirements (such as being cross-certified with another company or organization), or just for internal use? 
 
Approximately how large is your organization? &nbsp;Under 1000 certs, 1000-10,000, over 10,000? &nbsp;Don't base this on just your employee base, but rather what you expect to issue certs for (user smartcards, user email signing, user email encryption, user EFS, internal server SSL, workstations, etc.) 
 
Are you more concerned about budget or security? &nbsp;Since you had a single tier before I would figure budget, but since you're looking to do this right I would figure you have a little bit of funding to make the best solution without getting extreme. 
 
 
References - most of this is written for 2008, but most of it will apply to 2003 as well: 
 
How to decom a CA server properly from AD: 
<a href="http://support.microsoft.com/kb/889250" rel="ugc">http://support.microsoft.com/kb/889250</a> 
 
Active Directory Certificate Services - installation guide (AD CS == 2008) 
<a href="http://technet.microsoft.com/en-us/library/cc772393.aspx" rel="ugc">http://technet.microsoft.com/en-us/library/cc772393.aspx</a> 
&nbsp; 
AD CS upgrade &amp;&nbsp;migration guide: 
<a href="http://technet.microsoft.com/en-us/library/cc742515.aspx" rel="ugc">http://technet.microsoft.com/en-us/library/cc742515.aspx</a> 
&nbsp; 
General Technet stuff on 2008 CA: 
<a href="http://technet.microsoft.com/en-us/library/cc726345.aspx" rel="ugc">http://technet.microsoft.com/en-us/library/cc726345.aspx</a> 
 
&nbsp;
</div>

<div>
Yes you're right, I should be more specific. 
 
I have a single certificate server handing our certs so that our users can log into our VPN, there are 11 VPN users and I don't expect them to increase to more than 20 over the next few years. &nbsp;I issue my VPN users a smartcard with a logon certificate, and they use that to access our VPN. 
 
This application sits on its own DMZ, has its own windows 2003 active directory domain, and the 11 users are on this domain. 
 
While these users are small in number the application they are using is critical to the business, and the bosses want redundancy all over. &nbsp;So I thought the best way to do this was to move to a two tier architecture. &nbsp;I don't want to call the smart cards back in because these users are spread over the country and it would be just too disruptive. 
 
So basically I'm looking to switch to a two tier architecture purely to increase redundancy, not for security or performance reasons. 
 
So to your questions: 
1. Are you looking to keep the existing server around as the root of the new PKI, or remove that and start over properly? 
 
I'm not really sure, but I know I want the already issued keys and smartcards to continue to be valid. 
 
2. Are you planning to upgrade from 2003 to 2008? &nbsp;Or just have the new one as 2008 for the online subordinate CA? &nbsp;Standard edition or Enterprise edition? 
 
No plans to change to 2008, but if you think that there's something worthwhile there and you can guide me to some talking points to take to my boss, I'd be very grateful. Standard edition. 
 
3. Was the Active Directory Certificate Services - installation guide (AD CS == 2008) 
 
I'm afraid I don't understand the question 
 
4. Are there any unique requirements (such as being cross-certified with another company or organization), or just for internal use? 
 
Internal use only.
</div>

<div>
This sounds all very sensible, and you are right, the issue is really about DR rather than redundancy. &nbsp;The virtualised environment seems to be the way to go. 
 
My original question is still relevant though, how do we move to two tier while still keeping the validity of previously issued certs? &nbsp;Are there any guides out for that?
</div>

<div>
<div class="content wysiwyg-content">
I have a single tier MCS running on Windows 2003. &nbsp;I want to change this to two tier architecture while retaining validity of previously issued certs - are there any guide out there on how to do this?
</div>
</div>

I have a single tier MCS running on Windows 2003.  I want to change this to two tier architecture while retaining validity of previously issued certs - are there any guide out there on how to do this?

Migrate from 1-tier to 2-tier Certificate Services architecture

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

OS Security

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

Windows Server 2003

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.