We are migrating from an old Windows Server 2008 R2 (Win2K8) Certificate Authority (CA)
to a new Windows Server 2016 CA (Win2K16). In the new plan we would have an
Standalone Root CA (offline) and an Enterprise Subordinate CA (online).
The Subordinate CA will be part of the domain, but the Standalone Root CA will
be a workgroup NOT connected to the domain or network and will eventually be
turned off for safe keeping.
I had to do a Multi-tier or Two-tier approach. One of the requirements were
to copy the Certificate Templates from the old Win2K8 R2 CA to the new Online
Win2K16 CA. They were under the impression we have to copy the modified
Certificate Templates from the old Win2K8 CA to the new Win2K16 CA.
Now correct me if I'm wrong, but I was under the impression all
Certificate Templates live in Active Directory and would be accessible by
the new CA anyways, so there should NOT be any copying of Templates to new
CA. Please clarify.