That is a good action plan. Should work well. 2 tier CA may not be necessary (depends heavily on your compliance needs and physical security on the servers). Best practice says 2 tier, but best practices are recommendations only and don't apply to all situations.
Cool. Just to clarify then, if we haven’t setup an internal CA before the update, clients will still be ok even after the update has been applied to them ( they will use Kerberos). If we don’t install the update on the DC, third party/ external devices will be ok.
So my thinking is get CA installed (2 tier) and install certificates onto dc.
Then enable ldaps and move external devices over to ldaps.
once done then install the March update.
Is my thinking correct?
Cheers,
Paul