<div>
Hi Alan,<br />
My questions would be:<br />
1. Why are you recommending something that you don't know how to implement? (that's just plain weird).<br />
<br />
Here's some kind of step by step:<br />
<a href="https://security.stackexchange.com/questions/192519/how-to-set-up-a-two-tier-ca-hierarchy-in-windows-2012r2-certificate-authority" rel="ugc">https://security.stackexchange.com/questions/192519/how-to-set-up-a-two-tier-ca-hierarchy-in-windows-2012r2-certificate-authority</a><br />
<br />
2. Make sure to have at least try it in a test environment.
</div>


<div>
thanks. they reason is simple. while I might not be experienced in technically how to do the solution I still know what best practices are. actually, in my 20 years technical pre-sales it is very common. <br />
I think it's a bit odd you would actually ask that. our sales people sell solutions all day long does it mean to know how to do it. but they do understand the technology to some degree and best practices.<br />
I will take a look at the link. thank you
</div>


Microsoft 365 Platform Lead

Alan Cox

<div>
i am a SME on Exchange and Office 365 but deal almost exclusively in public CA in those spaces and has been years since I deployed a PKI. I was really just seeking additional opinions. was a decent article.
</div>


<div>
<div class="content wysiwyg-content">
Experts,<br />
<br />
I am no expert on PKI although I've setup a couple for simple uses.<br />
I have a client that has a single Enterprise root (single tier). They have server 2008 and are also looking to upgrade AD to 2016 while taking my recommendation to upgrade to 2 tier PKI (one offline root and 2 SUB Issuing).<br />
I understand the theory behind it but I could use some guidance on getting it done. I've looked at several articles but nothing that's detailed on this scenario.<br />
thinking I would just build out the PKI on 2016 separate as i know you can have multiple PKIs in the same forest (a good guide on this might be helpful also).<br />
But what needs to be copied over/moved to new PKI from old? GPO changes ect.<br />
Should PKI be done before AD or does that matter?<br />
I'm not overly familiar with this client so I'm not really sure what they use certificates for at this point.
</div>
</div>


Experts,

I am no expert on PKI although I've setup a couple for simple uses.
I have a client that has a single Enterprise root (single tier). They have server 2008 and are also looking to upgrade AD to 2016 while taking my recommendation to upgrade to 2 tier PKI (one offline root and 2 SUB Issuing).
I understand the theory behind it but I could use some guidance on getting it done. I've looked at several articles but nothing that's detailed on this scenario.
thinking I would just build out the PKI on 2016 separate as i know you can have multiple PKIs in the same forest (a good guide on this might be helpful also).
But what needs to be copied over/moved to new PKI from old? GPO changes ect.
Should PKI be done before AD or does that matter?
I'm not overly familiar with this client so I'm not really sure what they use certificates for at this point.

PKI upgrade

Public Key Infrastructure (PKI)

PKI CERTIFICATES

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.