Need advice in planning AD CS upgrade / move


I have a couple of questions as I plan my AD CS upgrade from 2008 R2 to 2012 R2, and in the process design a better system. I am starting with a domain controller that runs CS as well and is named CertDC. I'd like to make 2 new servers, which I would call RootCA and SubCA. RootCA will be an off-domain server that only issues keys to SubCA, and SubCA issues keys to everyone on the domain.

SO, I understand that it would be best for me to backup CertDC and restore to a similar issuing server. But since RootCA is a different name AND an offline CA, does that mean I do the following:

1) Make a standalone CA on RootCA - update CRL and AIA distribution points to point to SubCA
2) Make SubCA an enterprise subordinate CA
3) Restore the backup from the old CertDC on SubCA
4) Import a modified reg file that changes the name of the root CA and import that on SubCA

Am I on the right track? Or am I to restore the database to the RootCA server instead?

Thanks for your thoughts!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don S.Commented:
Since you will be changing the name of the CA as well as how everything is issued, you will be building your enterprise PKI new from scratch and using the new PKI to replace anything that was previously issued.  There is no backup that is going to help you do this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dgapinskiAuthor Commented:
I found a good article on this topic: Moving Your Organization from a Single Microsoft CA to a Microsoft Recommended PKI

It put my mind at ease about the whole project of replacing the current CA right away, which isn't necessary. Have 2! Then migrate the users & computers to the new one as they need it, and decommission the old server once the last certificate issued from that server is needed (i.e., once the old CRL isn't needed anymore, then it's finally time to kill the old server).
dgapinskiAuthor Commented:
So then my remaining question is that it would be ok to have a 2008 R2  CS server on a 2012 domain functional level?
Don S.Commented:
Pki doesn't care what level your domain is at.
dgapinskiAuthor Commented:
Thanks, much appreciated!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.