<div>
Thanks for the tip. &nbsp;I ended up migrating both the offline root and the issuing CA to new virtual machines. Both the original 2003 servers were 32-bit and therefore couldn't do the in-place upgrade to 2008 R2 and the recommendation from a member on the Windows Server 2008 R2 blog recommended that there be no version mismatches in our PKI.
</div>


Thanks for the tip.  I ended up migrating both the offline root and the issuing CA to new virtual machines. Both the original 2003 servers were 32-bit and therefore couldn't do the in-place upgrade to 2008 R2 and the recommendation from a member on the Windows Server 2008 R2 blog recommended that there be no version mismatches in our PKI.

<div>
<div class="content wysiwyg-content">
I'm planning an OK upgrade to the servers in my 2-tier PKI and there's a couple things I'm not clear on.<br />
<br />
Here's what I have:<br />
A Standalone Offline Root CA (non-domain joined, not on the network) running Server 2003 Standard SP2.<br />
An Issuing CA (online, domain joined) running Server 2003 Enterprise SP2.<br />
<br />
I need to upgrade my issuing CA to Server 2008 R2 SP1, which for my purposes seems to be safely done as an in-place upgrade. <br />
<br />
<b>What I'm unclear on is this: </b><br />
<i>1) Do I need to upgrade the OS on my RootCA as well?<br />
2) If so, which machine should I upgrade first?<br />
3) If so, do I still keep the Root on Standard and the Issuing on Enterprise?<br />
</i><br />
Any help from Windows Server and PKI pros out there would be much appreciated!<br />
<br />
Thanks in advance,<br />
Joshua Kautzman<br />
System Support Engineer<br />
Ascentium Corp
</div>
</div>


I'm planning an OK upgrade to the servers in my 2-tier PKI and there's a couple things I'm not clear on.

Here's what I have:
A Standalone Offline Root CA (non-domain joined, not on the network) running Server 2003 Standard SP2.
An Issuing CA (online, domain joined) running Server 2003 Enterprise SP2.

I need to upgrade my issuing CA to Server 2008 R2 SP1, which for my purposes seems to be safely done as an in-place upgrade. 

What I'm unclear on is this: 
1) Do I need to upgrade the OS on my RootCA as well?
2) If so, which machine should I upgrade first?
3) If so, do I still keep the Root on Standard and the Issuing on Enterprise?

Any help from Windows Server and PKI pros out there would be much appreciated!

Thanks in advance,
Joshua Kautzman
System Support Engineer
Ascentium Corp

Upgrading my Two-Tier PKI from Server 2003 to Server 2008R2

Microsoft server applications are those applications developed specifically, but not necessarily exclusively, on the Windows Server platform. In addition to well-known products like SQL Server, Exchange, Internet Information Services (IIS), Microsoft Dynamics, Forefront, Lync and Sharepoint, they include applications like Skype, BizTalk, Hyper-V, Groove and Commerce Server. Server applications are managed with the Microsoft System Center.

Microsoft Server Apps

Network security consists of the policies adopted to prevent and monitor authorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, and covers a variety of computer networks; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access.

Network Security

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.