Upgrade WIndows Server 2008 Standalone Root CA to a WIndows Server 2016 Root CA with two subordinates

Currently with a Windows server 2008 Root CA as in all in one (non-DC), and current domain is a native Windows server 2012.

Would like to upgrade to a distributed Root CA environment on 2016 servers infrastructure for the PKI. So Root CA and two subordinates are on Windows server 2016.

We will be upgrading the functional level of the domain to 2016 in the upcoming months, but wanted to start here first.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steps could be:
backup root ca
shutdown root ca
create new 2016 server with same hostname as existing root ca
restore ca backup on this server while installing stand-alone ca
now build another 2016 servers as sub ca, join to domain and make them sub ca
test verify the functionality and post that repurposed old ca server
itsecalertAuthor Commented:
Thanks. It is a bit of a broad answer. Does the current "old Root CA server" needs to be deleted from AD and the new server added with the same name, or the same computer account name in AD or just for the certificate's CA Name?

Current CA server is joined to the domain, not a DC, and connected to the network.

My plan is to setup a VM server as Root CA in Windows Server 2016
Setup the two subOrdinates
Put Root CA offline and power it off, unless I need to renew or authorize a third Sub

Thank you for your answer. If there are any steps to be taken, I would like to see that. Most samples I have seen includes only a setting up of a new Root CA when nothing is present, or migrating a Root CA that is a DC, or migrate a standalone to a standalone.
1st of all,
If CA is joined to domain u should not put it offline
In order to put ca off, it should be part of workgroup. check your ca if it is standalone root ca or enterprise root ca?
You can check that from ad configuration container under services, if you found there it is enterprise root ca
One more way you can check if ca console shows templates again it is enterprise ca
You cannot put enterprise root ca offline
After checking if it's standalone root ca, then no need to delete computer account in ad, simply reset it and join new 2016 server with same hostname to ad
Also you cannot change ca name as you will restore ca certificate and database from backup
Now what you can do, if your ca is proved to be standalone after going above checks, get new 2016 server VM with same hostname as previous, but do not join it to domain and restore it from backup and u can put it offline

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
itsecalertAuthor Commented:
I will give this a try. It is Not really a stand-alone as it is joined to the domain but a solo PKI infrastructure member.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.